CYBER NEWS

RIPlace Ransomware Protection Bypass Affects Windows, AV Vendors


RIPlace is new ransomware bypass technique that was recently detected by security researchers. The technique relies on just a few lines of code to successfully evade built-in ransomware protection features, present in security solutions and Windows 10.




The RIPlace technique was discovered by several security researchers from Nyotron – Daniel Prizmant, Guy Meoded, Freddy Ouzan, and Hanan Natan. The researchers contacted security vendors and Microsoft about the issue. However, apparently only two vendors took the necessary steps to address the issue and secure the affected product.

The other companies seem to believe that RIPlace is a “non-issue”, the researchers said in a conversation with Bleeping Computer. Affected companies include names such as Microsoft, Symantec, Sophos, Carbon Black, Trend Micro, McAfee, Kaspersky, Cylance, SentineOne, Malwarebytes, Crowdstrike, and PANW Traps. Kaspersky and Carbon Black are the only companies that secured their products against the RIPlace bypass technique.

RIPlace Ransomware Bypass Technique Explained

To understand how the ransomware bypass works, we need to look at the way ransomware encrypts data. For the encryption to take place, the ransomware has to encrypt the targeted files and replace them with encrypted data via one of three primary methods:

1. Open and read original file
2. Encrypt content in memory
3. Destroy the original file by:
– Writing encrypted content into original file,-
– OR saving encrypted file to disk, while removing the original file using the DeleteFile operation,
– OR saving encrypted file to disk, then replacing it with the original file using the Rename operation.

For efficient ransomware protection, all three conditions must be neutralized. However, it seems that the third method of replacing files in a specific way could allow the evasion of the ransomware protection.

Related:
A new method to bypass Controlled Folder Access via Windows Registry Editor has been discovered to work flawlessly. Microsoft has recenty added a feature, known as Controlled Folder Access. The feature has been used in order to stop modifications of...Read more
Windows Ransomware Protection Can Be Hacked Easily

That being said, “RIPlace is a Windows file system technique that, when used to maliciously encrypt files, can evade most existing anti-ransomware methods,” the researchers explained. The reason RIPlace is so tricky is that it leverages a design flaw in the Windows operating system rather than a specific flaw in software. Furthermore, the bypass is easy to implement.

The researchers also provided two videos to show how RIPlace tricks two popular endpoint security products – Symantec Endpoint Protection and Microsoft Defender Antivirus.

More information about RIPlace is available.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...