Nyotron security researchers have devised a new technique that allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products. Dubbed RIPlace, the new method uses a Windows operating system design flaw rather than a flaw in specific piece of software and requires only a few lines of code to bypass ransomware protection features built into many security products and Windows 10.
According to Nyotron, the RIPlace technique can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system. To encrypt a victim's files and replace them with encrypted data most ransomware will open and read the original file, encrypt content in memory, and then destroy the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then using Rename to replace it.
Every time a Rename request is being called (specifically, IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback, so that it could filter the request. The researchers found that if DefineDosDevice (a legacy function that creates a symlink), is called before Rename it is possible to pass an arbitrary name as the device name, and the original file path, as the target to point on.
As per Nyotron, the issue stems from the fact that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” While “it returns an error when passing a DosDevice path (instead of returning the path, postprocessed)”, the Rename call succeeds. Thus, this technique can be used to maliciously encrypt files and bypass antivirus/antiransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback.
“In fact, all antivirus products tested so far were completely blind to file operations using this technique, including encryption. Moreover, even Endpoint Detection and Response (EDR) products are blind to this technique and hence these operations will not be visible for future incident response and investigation purposes,” security researchers warned.