New Microsoft file system technique can make ransomware ‘invisible’

[steven36]

Nyotron has detected a new technique that enables hackers to encrypt Windows files in a way that existing anti-ransomware products cannot detect.

 

 

Ransomware is one of the prevalent cybersecurity threats, so much so that according to Verizon’s recent Data Breach Investigations Report, it is the second most common functionality deployed by hackers, appearing in 28pc of all incidents observed.

 

Now, however, it may have gotten more difficult to detect. Nyotron, a security software company based out of California, has published a report today (21 November) detailing a new vulnerability it has dubbed ‘RIPlace’.

 

The vulnerability can allow hackers to bypass existing system defences by relying on a legacy file system ‘rename’ option in Microsoft Windows. This bypass can be executed in as little as two lines of code.

 

 

Nyotron infographic explaining RIPlace. Image: Nyotron

 

 

According to Nyotron founder and CTO, Nir Gaist, the company has followed disclosure practices and encouraged all security vendors to address the vulnerability. Additionally, the company has made a free tool available, which can be used to test whether a system is vulnerable.

 

The unique method of file modification means that while it does not ‘hide’ malware per se, it is useful for stealthily modifying files on a system. “Hence, from the threat actor perspective, it would likely be most ‘useful’ in ransomware,” Gaist continued.

 

The company has demonstrated that a proof-of-concept ransomware leveraging RIPlace evasion techniques can infect devices with Windows Defender antivirus and Symantec Endpoint Protection products enabled.

 

In August, researchers from Check Point discovered a vulnerability in Canon cameras that left them open to ransomware attacks.

 

The firm investigated whether the camera’s picture transfer protocol could be used to allow a hacker to take over the camera and infect it with ransomware. Though the hacker in this instance needed to be in close proximity to the device in order to infect it, the vulnerability inspired alarm, as well as fears that it could exist on other ‘smart’ devices.

 

Source

 

[Guest]

5 hours ago, steven36 said:

The company has demonstrated that a proof-of-concept ransomware leveraging RIPlace evasion techniques can infect devices with Windows Defender antivirus and Symantec Endpoint Protection products enabled.

Whoa. Even with ATP tech on Windows Defender can't able to stop it. Plus, unknown yet if other anti-malware solutions detecting this variant of ransomware.

 

But the proof-of-concept video that they did, comes way back from February 2019, and it is unlisted. Only now they revealing this existence. 9 months left unreported.

[steven36]

2 hours ago, Edward Raja said:

Whoa. Even with ATP tech on Windows Defender can't able to stop it. Plus, unknown yet if other anti-malware solutions detecting this variant of ransomware.

 

But the proof-of-concept video that they did, comes way back from February 2019, and it is unlisted. Only now they revealing this existence. 9 months left unreported.

Always when a researcher  disclose something  they give security software and platform vendors   awhile to  fix it  it  before they disclose it to the public  , they reported it back in 2018    there only required by law 90 days before disclosing it to the public . It's most  vendors who never patched  it because it not been seen in the wild yet . Now its been disclosed it want be long tell hackers use it if they dont patch there products against it. Its Microsoft and others that's slacking  but Kaspersky  updated there software to detect it , Nice try to try blame the  company who found it  when as always it's slackers like Microsoft and  most of the rest of security sector practicing  cybersect . Google have disclose stuff on Microsoft time and time  again for not patching that the reason they  made it were you have to tell a vendor 90 days before disclosing it .Google use to drop 0 days on Microsoft  to public before  witch was considered dangerous  . seems you don't know very much about how  cyber security works and not been following disclosure  polices  for vulnerabilities very long?

 

---

 

Discovered in 2018, Nyotron responsibly disclosed the RIPlace bypass technique to security software vendors and Microsoft, but the researchers were told that since no ransomware was using, it was seen as a non-issue.

 

"Nyotron followed responsible disclosure practices by informing security vendors of the issue – six months ago. However, only one vendor was responsive and prompt, addressing the issue in all its products. The rest of the industry (including one major tech vendor) seem to view RIPlace as a non-issue because it has not yet been seen in the wild. "

 

Nyotron told BleepingComputer that they tested RIPlace against over a dozen vendors including Microsoft, Symantec, Sophos, McAfee, Carbon Black, Kaspersky, Crowdstrike, PANW Traps, Trend Micro, Cylance, SentinelOne, and Malwarebytes.

 

Only Kaspersky and Carbon Black modified their software to prevent this technique.

 

When we asked Microsoft about this technique, they told BleepingCmputer that this technique is not considered a vulnerability and as CFA is a defense-in-depth feature, it does not satisfy their security servicing criteria.

 

"The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine."

 

While this may not satisfy Microsoft security servicing criteria, it would make sense for this issue to be fixed proactively rather than wait for customer's files to be encrypted even when CFA is enabled.

 

Nyotron created a video demonstrating the CFA bypass as well, which can be viewed below. Nyotron has also created a section on their site with more information about this bypass.

 

Source: https://www.bleepingcomputer.com/news/security/new-riplace-bypass-evades-windows-10-av-ransomware-protection/

 

Stupid stuff like this is why  some researchers get pissed off  and go rouge and start drooping 0 days  on twitter and selling them to malware distributors .