“RIPlace” - Does It Make Ransomware Unstoppable?

Remember WannaCry - the ransomware attack that two years ago infected Windows devices across 150 countries and resulted in an estimated damage of $4B?. We now know that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, brace yourself: We have discovered a technique that attackers may use to deliver ransomware that most organizations have no way to detect or prevent. This webinar will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing ransomware protection technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes. The technique leverages an issue at the boundary between a Windows design flaw and improper error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function. We will review existing ransomware detection methods, the workflow of a typical ransomware and provide a live demo of RIPlace bypassing a number of anti-ransomware technologies. Presenter: Nir Gaist, Founder and CTO of Nyotron. Nir Gaist is a recognized information security expert and ethical hacker. He has worked with some of Israel’s largest public and private sector organizations, such as the Israeli Police, the Israeli parliament and Microsoft’s Israeli headquarters. He also wrote cybersecurity curriculum for the Israel Ministry of Education. Nir holds patents for the creation of a programming language called Behavior Pattern Mapping (BPM) that enables monitoring of the integrity of the operating system behavior to deliver threat-agnostic protection.