Show vulnerabilities with patch / with exploit
26 November 2019

A new technique bypasses most existing anti-ransomware protections


A new technique bypasses most existing anti-ransomware protections

Nyotron security researchers have devised a new technique that allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products. Dubbed RIPlace, the new method uses a Windows operating system design flaw rather than a flaw in specific piece of software and requires only a few lines of code to bypass ransomware protection features built into many security products and Windows 10.

According to Nyotron, the RIPlace technique can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system. To encrypt a victim's files and replace them with encrypted data most ransomware will open and read the original file, encrypt content in memory, and then destroy the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then using Rename to replace it.

Every time a Rename request is being called (specifically, IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback, so that it could filter the request. The researchers found that if DefineDosDevice (a legacy function that creates a symlink), is called before Rename it is possible to pass an arbitrary name as the device name, and the original file path, as the target to point on.

As per Nyotron, the issue stems from the fact that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” While “it returns an error when passing a DosDevice path (instead of returning the path, postprocessed)”, the Rename call succeeds. Thus, this technique can be used to maliciously encrypt files and bypass antivirus/antiransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback.

“In fact, all antivirus products tested so far were completely blind to file operations using this technique, including encryption. Moreover, even Endpoint Detection and Response (EDR) products are blind to this technique and hence these operations will not be visible for future incident response and investigation purposes,” security researchers warned.

Back to the list

Latest Posts

Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Weekly vulnerability digest.
10 July 2020
Evilnum, FIN6, and Cobalt Group share the same malware provider

Evilnum, FIN6, and Cobalt Group share the same malware provider

The Evilnum group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a MaaS provider called Golden Chickens.
10 July 2020
RCE-bug found in Zoom client for Windows

RCE-bug found in Zoom client for Windows

The flaw is only exploitable on systems running Windows 7 and older Windows versions.
10 July 2020