RIPlace is new ransomware bypass technique that was recently detected by security researchers. The technique relies on just a few lines of code to successfully evade built-in ransomware protection features, present in security solutions and Windows 10.
The RIPlace technique was discovered by several security researchers from Nyotron – Daniel Prizmant, Guy Meoded, Freddy Ouzan, and Hanan Natan. The researchers contacted security vendors and Microsoft about the issue. However, apparently only two vendors took the necessary steps to address the issue and secure the affected product.
The other companies seem to believe that RIPlace is a “non-issue”, the researchers said in a conversation with Bleeping Computer. Affected companies include names such as Microsoft, Symantec, Sophos, Carbon Black, Trend Micro, McAfee, Kaspersky, Cylance, SentineOne, Malwarebytes, Crowdstrike, and PANW Traps. Kaspersky and Carbon Black are the only companies that secured their products against the RIPlace bypass technique.
RIPlace Ransomware Bypass Technique Explained
To understand how the ransomware bypass works, we need to look at the way ransomware encrypts data. For the encryption to take place, the ransomware has to encrypt the targeted files and replace them with encrypted data via one of three primary methods:
1. Open and read original file
2. Encrypt content in memory
3. Destroy the original file by:
– Writing encrypted content into original file,-
– OR saving encrypted file to disk, while removing the original file using the DeleteFile operation,
– OR saving encrypted file to disk, then replacing it with the original file using the Rename operation.
For efficient ransomware protection, all three conditions must be neutralized. However, it seems that the third method of replacing files in a specific way could allow the evasion of the ransomware protection.
That being said, “RIPlace is a Windows file system technique that, when used to maliciously encrypt files, can evade most existing anti-ransomware methods,” the researchers explained. The reason RIPlace is so tricky is that it leverages a design flaw in the Windows operating system rather than a specific flaw in software. Furthermore, the bypass is easy to implement.
The researchers also provided two videos to show how RIPlace tricks two popular endpoint security products – Symantec Endpoint Protection and Microsoft Defender Antivirus.
More information about RIPlace is available.