New Microsoft file system technique can make ransomware ‘invisible’

guest · Nov 21, 2019

New Microsoft file system technique can make ransomware ‘invisible’
November 21, 2019
https://www.siliconrepublic.com/enterprise/nyotron-ransomware-microsoft-file-system-invisible

Now, however, it may have gotten more difficult to detect too.

Nyotron, an information security based out of California, has published a report today (21 November) detailing a new vulnerability it has dubbed “RIPlace”. The vulnerability can allow hackers to bypass existing system defences by relying on a legacy file system ‘rename’ option. This bypass can be executed in as little as two lines of code.
Additionally, the company has made a free tool available which can be used to test whether a system is vulnerable.

The company has demonstrated that a proof-of-concept ransomware leveraging RIPlace evasion techniques can infect devices with Windows Defender Antivirus and Symantec Endpoint Protection products enabled.
Click to expand...

Nyotron Discovers Technique That Renders Ransomware Invisible to Security Software
RIPlace Report (PDF - 753 KB): https://www.nyotron.com/collateral/RIPlace-report_compressed-3.pdf

Nytron blog entry: Nyotron Discovers Potentially Unstoppable Ransomware Evasion Technique: “RIPlace”

Practically Unstoppable
RIPlace is a Windows file system technique that, when used to maliciously encrypt files, can evade most existing anti-ransomware methods. In fact, all antivirus products we have tested to date were were bypassed Even Endpoint Detection and Response (EDR) products that are supposed to keep track of all data-related activity are completely blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.
Click to expand...

guest · Nov 21, 2019

New RIPlace Bypass Evades Windows 10, AV Ransomware Protection
November 21, 2019
https://www.bleepingcomputer.com/ne...s-evades-windows-10-av-ransomware-protection/

Nyotron told BleepingComputer that they tested RIPlace against over a dozen vendors including Microsoft, Symantec, Sophos, McAfee, Carbon Black, Kaspersky, Crowdstrike, PANW Traps, Trend Micro, Cylance, SentinelOne, and Malwarebytes.
Only Kaspersky and Carbon Black modified their software to prevent this technique.

BleepingComputer only verified that the RIPlace technique can bypass CFA as demonstrated below.
RIPlace against Windows 10 Controlled Folder Access
[...] RIPlace was successfully able to encrypt the file as indicated by the thumbnail no longer being visible in the folder.
Furthermore, when we hex edited the file, all of the data was encrypted.

When we asked Microsoft about this technique, they told BleepingCmputer that this technique is not considered a vulnerability and as CFA is a defense-in-depth feature, it does not satisfy their security servicing criteria.
While this may not satisfy Microsoft security servicing criteria, it would make sense for this issue to be fixed proactively rather than wait for customer's files to be encrypted even when CFA is enabled.
Click to expand...

The RIPlace ransomware protection bypass
According to Nyotron, ransomware will encrypt a victim's files and replace them with encrypted data using one of the three methods below. In our experience working with ransomware, methods #1 and #2 are the most common.

Writing the encrypted data from memory to the original file.

Writing the encrypted data from memory to a new file and then deleting the old one.

Writing the encrypteddata from memory to a new file and then using the Rename call to replace the original file.

Unfortunately, Nyotron discovered that performing option three to replace files, and doing it in a special way, allows the bypassing of the protection feature as illustrated below.
Click to expand...

Tarnak · Nov 21, 2019

In the interests of testing, I ended up sacrificing a file on my desktop:

B-boy/StyLe/ · Nov 21, 2019

I tested it as well. Comodo's HIPS passed the test:

When the changes are allowed the file is encrypted:

https://i.imgur.com/m4tBJn0.png

When the changes are not allowed the file is not encrypted:

https://i.imgur.com/I5ipB80.png

Rasheed187 · Nov 23, 2019

Interesting, has anyone tested this against tools like HMPA and AppCheck?

guest · Nov 19, 2020

Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic
November 18, 2020
https://www.seqrite.com/blog/thanos...ti-ransomware-protection-with-riplace-tactic/

Ransomware has come a long way in cyberspace by continuous improvement in its techniques and tactics in encrypting system files. Over the years ransomware has improvised itself by moving from PE to non-PE and standalone payloads, by using different compilers and complex packers.

Recently, we observed a similar strain of ransomware (named as Thanos Ransomware) trying to evade traditional Anti-Ransomware solutions by implementing different techniques which include process injection and the latest RIPlace tactic.
Last year researchers at Nyotron had furnished proof of concept (POC) of RIPlace tactic that can potentially encrypt files without getting identified by the anti-ransomware or Endpoint Detection and Response (EDR) solutions.
Click to expand...

Conclusion
There have been several techniques used by ransomware families to evade the AV products earlier, increasing the complexity, the speed of their operations, termination of the analysis tools, but this time it has become more advanced, challenging for anti-ransomware technologies. The use of almost all the possible anti-analysis techniques and then hiding the new extensions of the encrypted files from the anti-ransomware solutions makes the task much more difficult.
Click to expand...

Log in or Sign up

New Microsoft file system technique can make ransomware ‘invisible’

guest Guest

guest Guest

Tarnak Registered Member

Attached Files:

NYOTRON_RIPlace Demo tool_01.JPG

NYOTRON_RIPlace Demo tool_02.JPG

NYOTRON_RIPlace Demo tool_03.JPG

NYOTRON_RIPlace Demo tool_04.JPG

B-boy/StyLe/ Registered Member

Rasheed187 Registered Member

guest Guest

Log in or Sign up

New Microsoft file system technique can make ransomware ‘invisible’

guest Guest

guest Guest

Tarnak Registered Member

Attached Files:

NYOTRON_RIPlace Demo tool_01.JPG

NYOTRON_RIPlace Demo tool_02.JPG

NYOTRON_RIPlace Demo tool_03.JPG

NYOTRON_RIPlace Demo tool_04.JPG

B-boy/StyLe/ Registered Member

Rasheed187 Registered Member

guest Guest

Useful Searches