Is Your Organization Susceptible to “RIPlace”?

Nir Gaist, Founder & CTO, Nyotron

We’re devoting this issue to our recent discovery of “RIPlace” – a new evasion technique that, when used to maliciously alter files, can evade most anti-ransomware methods and Endpoint Detection and Response (EDR) products.

As you scroll through this special edition, you will find several resources to help you protect your organization, including a free tool you can use to determine if your systems are at risk. You can also pre-register to attend our upcoming webinar that will feature a live demonstration of how an attacker might use RIPlace.

We announced RIPlace in late November after following the responsible disclosure process by alerting Microsoft and security vendors. And we continue to be proactive in our effort to educate security professionals because, to date, only a handful of security vendors have acknowledged and confirmed the fix.

Fortunately, the opposite has been the case with the security industry media. More than 30 outlets have reported on the threat RIPlace presents to all organizations.

RIPlace leverages a Windows operating system design flaw rather than a flaw in specific piece of software. It’s incredibly simple to implement – requiring just two lines of code. We believe that malicious actors may abuse this technique in order to bypass security products and keep their activity stealthy.

The name “RIPlace” describes how the technique can be used to corrupt files by replacing them using the rename file system function, deleting the original file forever. No matter which version of Windows your organization may be using, you need to check whether you’re at risk. Attackers may use RIPlace to target versions dating back to Windows XP to the most recently-updated Windows 10, even those with the latest versions of most AV, NGAV and EDR security products installed.

The exception to this rule is that if you’re already using Nyotron’s PARANOID solution, you’re protected.

To learn more, please visit: https://www.nyotron.com/riplace/.

RIPlace TESTING TOOL INSTRUCTIONS

Nyotron offers a free tool to test your system and security products against RIPlace evasion technique. Use this link to download the packed tool, then follow these simple instructions:

Step 1: Unpack with WinRAR

Step 2: Open the RIPlace.exe file to launch the tool:

Step 3: Drag and drop a test file into the window. Your test file can be any text document, Office document, image or similar file type. Please note:

  • We suggest that you either create a new file to use for this test, or a copy of an existing file
  • Do not use a 0-byte size files 
  • Do not use an executable file

Step 4: Press the RIPlace button to initiate the test. Almost immediately you will see one of the three results:

1: “Warning! Your system may be susceptible to the RIPlace technique.” 

2: “Success! Your system is unlikely to be susceptible to the RIPlace technique.”

3”: “Error! Something went wrong during the test. Contact Nyotron at riplace@nyotron.com”

Step 5: Click the “Find out more…” link in dialog box that leads to additional information and guidance on our website. 

 

WEBINAR: LIVE DEMO OF RIPlace

“RIPlace Evasion Technique: Can it make ransomware unstoppable?”

Thursday, December 12th | Noon PDT (3:00 PM EDT)

Nyotron Founder and CTO Nir Gaist will demonstrate how an attacker might use RIPlace to maliciously alter files in a way that renders most ransomware protection technologies ineffective, and answer your questions.

Follow this link to register to attend, and we’ll send you a placeholder for your calendar.

NYOTRON LIBRARY

The following resources on RIPlace are also available here: https://www.nyotron.com/riplace/.

RIPlace in the Media Spotlight

More than 30 security and IT media outlets have reported on Nyotron’s discovery of RIPlace, including: