New ransomware technique evades most updated security protection and Windows 10

• The technique, dubbed RIPlace, required only a few lines of code to elude inbuilt ransomware protection features.
• It is even effective against systems that are timely patched and run modern antivirus solutions.

Researchers of an end-point security solution firm recently stumbled upon a new technique that allows a ransomware to encrypt files on Windows systems without drawing the attention of existing anti-ransomware products.

The backstory

After discovering the technique, researchers from the firm got in touch with Microsoft, security vendors, law enforcement and regulatory authorities, and others.

• Nyotron told BleepingComputer that they tested RIPlace against over a dozen vendors including Microsoft, Symantec, Sophos, McAfee, Carbon Black, Kaspersky, Trend Micro, Cylance, SentinelOne, Crowdstrike, PANW Traps, and Malwarebytes.
• Only a handful of security vendors have acknowledged the issue, despite dozens being impacted.
• Only Kaspersky and Carbon Black modified their software to prevent this technique from the above-mentioned names.

About the new technique—RIPlace

The new ransomware bypass technique, RIPlace was identified by the Nyotron team in Spring 2019. Since the technique wasn’t being used in other major attacks, it was seen as a non-issue by security vendors and Microsoft.

• The technique required only a few lines of code to elude inbuilt ransomware protection features in security products and Windows 10.
• The malware bypass defenses using the legacy file system "rename" operation.
• It is effective even against systems that are timely patched and run modern antivirus solutions, security researchers suggested.
• The technique can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s OS.

How does it work?

Most ransomware operate by first opening and reading the original file, then encrypting content in memory, and then destroying the original file by writing encrypted content to it or saving the encrypted file by renaming and replacing the original one.

The catch is in the last option where the ransomware renames and replaces files. Performing that operation in a special way, allows the bypassing of the protection, researchers discovered.

Now, when a rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback. It was found that if DefineDosDevice (a legacy function that creates a symlink) is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.

The researchers explained that, “The callback function filter driver fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.

“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers noted.

Get help

Meanwhile, Nyotron has published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV). It has released a free tool for everyone who wants to test their system and security products against RIPlace.