In November 2019 Nyotron announced the discovery of an evasion technique that could enable cyberattackers to maliciously encrypt files in a way that the majority of anti-ransomware products cannot detect. We called it RIPlace.
You can find full details about the technique, along with videos, an FAQ, a link to the webinar, and other information here. In summary, the RIPlace technique allows bypass of most antivirus, EPP, anti-malware, and anti-ransomware products. Moreover, it leaves no trace, making it invisible to tracking and monitoring tools like endpoint detection and response (EDR).
At the time, we speculated that malicious actors may abuse this technique in order to bypass security products and avoid evidence capture, especially because they only need two lines of code to modify existing ransomware and take advantage of RIPlace.
Our suspicion has been confirmed.
Thanos Ransomware Weaponizes RIPlace
Recorded Future released a report on the Thanos ransomware builder, stating that it “is the first ransomware family observed that advertises the use of the RIPlace tactic”. In fact, Thanos incorporated RIPlace back in January, just about a month and a half after our official announcement.
Thanos ransomware builder with “RIPlace Technology” checkbox (Source: Nulled)
What Does This Mean?
We believe this rapid adoption of the latest defensive research for offensive purposes by threat actors and other cybercriminals once again confirms that:
- Both sides – defenders and attackers – have access to the same technology and research
- The period between public announcement of a flaw or vulnerability and its weaponization is relatively short, sometimes as short as days if not hours
- Vendors who rely on blacklisting approaches are unable to keep up with the volume of new attack methods and techniques. Some have yet to update their products to protect against RIPlace-powered ransomware.
Should a researcher release the information about a vulnerability, even knowing that not all vendors have addressed it? While there is some debate around the government’s stockpiling and use of dangerous computer flaws, the industry consensus is that responsible disclosure is important and necessary.
Typically, responsible disclosure requires giving vendors a 90-day period to address the issue. Nyotron began communicating with Microsoft and dozens of security vendors privately in the Spring of 2019 – almost nine months before our public disclosure – to ensure this technique is appropriately handled. Unfortunately, to date, only a handful of security vendors have acknowledged the fix.
What do Recorded Future’s revelations mean to security practitioners? What can you do about it?
Be proactive. First, we suggest that you leverage our free RIPlace testing tool that you can download here. The tool does not require registration, is not a marketing campaign in disguise, and does not send any telemetry to Nyotron.
All it does it provide you with a simple test trying to validate whether your system and all of its installed endpoint security/AV products are susceptible to the RIPlace technique or not. As simple as that.
Second, educate yourself on the technique. You can watch the recording of our short webinar on RIPlace here or read the extensive coverage of this story in the following news outlets: