Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New Technique Allows Ransomware to Operate Undetected

A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn.

A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn.

Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system “rename” operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions.

RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system. 

In a detailed report covering the findings (PDF), the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it.

When a Rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback. 

What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on. 

The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.

“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain.

Advertisement. Scroll to continue reading.

The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted.

Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique.

Related: Organizations Warned of Dual Threat Posed by RDP and Disruptive Ransomware

Related: Open Source-Based Ransomware Targets Fortnite Players

Related: The Growing Threat of Targeted Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups.