Researchers of an end-point security solution firm recently stumbled upon a new technique that allows a ransomware to encrypt files on Windows systems without drawing the attention of existing anti-ransomware products.
The backstory
After discovering the technique, researchers from the firm got in touch with Microsoft, security vendors, law enforcement and regulatory authorities, and others.
About the new technique—RIPlace
The new ransomware bypass technique, RIPlace was identified by the Nyotron team in Spring 2019. Since the technique wasn’t being used in other major attacks, it was seen as a non-issue by security vendors and Microsoft.
How does it work?
Most ransomware operate by first opening and reading the original file, then encrypting content in memory, and then destroying the original file by writing encrypted content to it or saving the encrypted file by renaming and replacing the original one.
The catch is in the last option where the ransomware renames and replaces files. Performing that operation in a special way, allows the bypassing of the protection, researchers discovered.
Now, when a rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback. It was found that if DefineDosDevice (a legacy function that creates a symlink) is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.
The researchers explained that, “The callback function filter driver fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.
“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers noted.
Get help
Meanwhile, Nyotron has published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV). It has released a free tool for everyone who wants to test their system and security products against RIPlace.
Publisher