Is Your Organization Susceptible to “RIPlace”?
Nir Gaist, Founder & CTO, Nyotron
We’re devoting this issue to our recent discovery of “RIPlace” – a new evasion technique that, when used to maliciously alter files, can evade most anti-ransomware methods and Endpoint Detection and Response (EDR) products.
As you scroll through this special edition, you will find several resources to help you protect your organization, including a free tool you can use to determine if your systems are at risk. You can also pre-register to attend our upcoming webinar that will feature a live demonstration of how an attacker might use RIPlace.
We announced RIPlace in late November after following the responsible disclosure process by alerting Microsoft and security vendors. And we continue to be proactive in our effort to educate security professionals because, to date, only a handful of security vendors have acknowledged and confirmed the fix.
Fortunately, the opposite has been the case with the security industry media. More than 30 outlets have reported on the threat RIPlace presents to all organizations.
RIPlace leverages a Windows operating system design flaw rather than a flaw in specific piece of software. It’s incredibly simple to implement – requiring just two lines of code. We believe that malicious actors may abuse this technique in order to bypass security products and keep their activity stealthy.
The name “RIPlace” describes how the technique can be used to corrupt files by replacing them using the rename file system function, deleting the original file forever. No matter which version of Windows your organization may be using, you need to check whether you’re at risk. Attackers may use RIPlace to target versions dating back to Windows XP to the most recently-updated Windows 10, even those with the latest versions of most AV, NGAV and EDR security products installed.
The exception to this rule is that if you’re already using Nyotron’s PARANOID solution, you’re protected.
To learn more, please visit: https://www.nyotron.com/riplace/.
RIPlace TESTING TOOL INSTRUCTIONS
Nyotron offers a free tool to test your system and security products against RIPlace evasion technique. Use this link to download the packed tool, then follow these simple instructions:
Step 1: Unpack with WinRAR
Step 2: Open the RIPlace.exe file to launch the tool:
Step 3: Drag and drop a test file into the window. Your test file can be any text document, Office document, image or similar file type. Please note:
- We suggest that you either create a new file to use for this test, or a copy of an existing file
- Do not use a 0-byte size files
- Do not use an executable file
Step 4: Press the RIPlace button to initiate the test. Almost immediately you will see one of the three results:
1: “Warning! Your system may be susceptible to the RIPlace technique.”
2: “Success! Your system is unlikely to be susceptible to the RIPlace technique.”
3”: “Error! Something went wrong during the test. Contact Nyotron at riplace@nyotron.com”
Step 5: Click the “Find out more…” link in dialog box that leads to additional information and guidance on our website.
WEBINAR: LIVE DEMO OF RIPlace
“RIPlace Evasion Technique: Can it make ransomware unstoppable?”
Thursday, December 12th | Noon PDT (3:00 PM EDT)
Nyotron Founder and CTO Nir Gaist will demonstrate how an attacker might use RIPlace to maliciously alter files in a way that renders most ransomware protection technologies ineffective, and answer your questions.
Follow this link to register to attend, and we’ll send you a placeholder for your calendar.
NYOTRON LIBRARY
The following resources on RIPlace are also available here: https://www.nyotron.com/riplace/.
-
Nyotron Research team report: “RIPlace Evasion Technique: High Probability Ransomware Detection Bypass and EDR Evasion”
-
Nyotron blog: “Nyotron Discovers Potentially Unstoppable Ransomware Evasion Technique: ‘RIPlace’”
-
Videos:
-
How RIPlace bypasses Symantec Endpoint Protection (SEP)
-
How RIPlace bypasses Microsoft Defender Antivirus (Defender AV)
-
-
Download the free RIPlace testing tool
-
Register to attend Dec. 12 webinar “RIPlace Evasion Technique: Can it make ransomware unstoppable?”
RIPlace in the Media Spotlight
More than 30 security and IT media outlets have reported on Nyotron’s discovery of RIPlace, including:
-
Bleeping Computer: New RIPlace Bypass Evades Windows 10, AV Ransomware Protection
-
Silicon Republic: “New Microsoft file system technique can make ransomware ‘invisible’”
-
Security Week: “New Technique Allows Ransomware to Operate Undetected”
-
Security Now: “Dangerous ‘RIPlace’ Exploit Able to Bypass AV & EDR Protections”
-
GBHackers on Security: “RIPlace – A new Evasion Technique that Let Ransomware to Encrypt Files Undetected”