This is the first case of RIPlace being utilized by ransomware. The technique relies on just a few lines of code to successfully evade built-in ransomware protection features, present in security solutions and Windows 10.
Thanos Affiliate Program Now Includes the RIPlace Bypass
The Thanos ransomware has been developing under the ransomware-as-a-service model, and has been gaining popularity on underground forums. Despite including this bypass technique, the ransomware doesn’t display any novel or sophisticated behavior. However, the simplicity of the ransomware is the reason that it is gaining popularity amongst cybercriminals.
The Thanos builder enables cybercrime affiliates to create ransomware clients with various options, advertised in its Ransomware Affiliate Program. The builder is offered either as a monthly or lifetime subscription, says Threatpost. The lifetime “company” version includes additional features, including data-stealing functionalities, the RIPlace technique, and lateral-movement capabilities. Security researchers have observed more than 80 different clients offered by the Thanos Affiliate Program. RIPlace can be enabled by choice, resulting in the modification of the encryption process to include the bypass technique.
More about RIPlace
The RIPlace technique was discovered last year by several security researchers from Nyotron – Daniel Prizmant, Guy Meoded, Freddy Ouzan, and Hanan Natan. The researchers contacted security vendors and Microsoft about the issue. However, apparently only two vendors took the necessary steps to address the issue and secure the affected product.
The other companies seemed to believe that RIPlace is a “non-issue”. Affected companies include names such as Microsoft, Symantec, Sophos, Carbon Black, Trend Micro, McAfee, Kaspersky, Cylance, SentineOne, Malwarebytes, Crowdstrike, and PANW Traps. Kaspersky and Carbon Black are the only companies that secured their products against the RIPlace bypass technique. However, the current implementation of RIPlace in an actual ransomware family proves that it is indeed an issue that needs attention.
As for the Thanos ransomware, it seems to be under active development. The ransomware has been receiving positive feedback from cybercriminals on underground forums, which means that it will continue to be weaponized in attacks.