LASER_oneXM

Level 35
Verified
A new ransomware bypass technique called RIPlace requires only a few lines of code to bypass ransomware protection features built into many security products and Windows 10.

With ransomware being such an epidemic for consumers and businesses, security software and Windows have built ransomware protections features into their software.

A new technique called RIPlace was disclosed today by security researchers Daniel Prizmant, Guy Meoded, Freddy Ouzan, and Hanan Natan at endpoint protection firm Nyotron that encrypts files in a way that these ransomware protection solutions miss and thus the files become encrypted.

Discovered in 2018, Nyotron responsibly disclosed the RIPlace bypass technique to security software vendors and Microsoft, but the researchers were told that since no ransomware was using, it was seen as a non-issue.
 

MacDefender

Level 4
Verified
WOW I can't believe that works....
Untitled.png

Windows Defender and CFA don't recognize this at all! You can see from that screen shot above that I mapped a drive "Q" aliased into a subdirectory of My Documents. It's amazing Windows allows unprivileged programs to do this.

Just a quick test:

F-Secure: BLOCKED (W32/CryptoRansomwareBehavor.B!DeepGuard) (.B is different from my naive ransomware)
Emsisoft: BLOCKED (Cryptoransomware behavior)
KIS: Sorta blocked. KSW thought it was malicious but that was after all the files have been encrypted. Did not offer a rollback (!!)
SEP and Symantec: No reaction
ESET: No reaction


As an aside: The first attempt to do this, F-Secure on my host actually blocked the compiled binary with a HEUR/APC detection from the cloud. I was able to make some subtle modifications to bypass that :)
 

oldschool

Level 41
Verified
"The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine." (my italics)

So this vulnerability is still user-dependent and requires social engineering to gain elevated permission (I assume) like so many threats these days. 🤔
 

MacDefender

Level 4
Verified
"The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine." (my italics)

So this vulnerability is still user-dependent and requires social engineering to gain elevated permission (I assume) like so many threats these days. 🤔
I’m kind of confused by that actually — I had also assumed this would require UAC elevation but it did not on any of my test VMs. Unless I misunderstood and came up with yet another ransomware zero day!

EDIT: the video also does not show a UAC prompt. I feel that part of the analysis is in error. I agree that features like CFA are defense in depth but having them be defeatable simply means malware will shift to these techniques.
Even hypothetical UAC requirements aren’t super reassuring. Basically every installer requests UAC elevation.... even Rufus for creating USB sticks asks for it and surely we’ve all used that here!
 
Last edited:

Andy Ful

Level 51
Verified
Trusted
Content Creator
I’m kind of confused by that actually — I had also assumed this would require UAC elevation but it did not on any of my test VMs. Unless I misunderstood and came up with yet another ransomware zero day!

EDIT: the video also does not show a UAC prompt. I feel that part of the analysis is in error. I agree that features like CFA are defense in depth but having them be defeatable simply means malware will shift to these techniques.
Even hypothetical UAC requirements aren’t super reassuring. Basically every installer requests UAC elevation.... even Rufus for creating USB sticks asks for it and surely we’ve all used that here!
The POC cannot do anything on my Windows 10 Pro 64-bit ver. 1903 (updated 13.11.2019).
I tested it with native Windows security (default settings and no additional security - Controlled Folder Access not enabled).

riplace.png

Did anyone test this POC recently?
 

Attachments

Last edited:

alv222

Level 2
WOW I can't believe that works....
View attachment 230116

Windows Defender and CFA don't recognize this at all! You can see from that screen shot above that I mapped a drive "Q" aliased into a subdirectory of My Documents. It's amazing Windows allows unprivileged programs to do this.

Just a quick test:

F-Secure: BLOCKED (W32/CryptoRansomwareBehavor.B!DeepGuard) (.B is different from my naive ransomware)
Emsisoft: BLOCKED (Cryptoransomware behavior)
KIS: Sorta blocked. KSW thought it was malicious but that was after all the files have been encrypted. Did not offer a rollback (!!)
SEP and Symantec: No reaction
ESET: No reaction


As an aside: The first attempt to do this, F-Secure on my host actually blocked the compiled binary with a HEUR/APC detection from the cloud. I was able to make some subtle modifications to bypass that :)
did you set SONAR to intense/aggresive ??
 

MacDefender

Level 4
Verified
The POC cannot do anything on my Windows 10 Pro 64-bit (updated 13.11.2019).
I tested it with native Windows security (default settings and no additional security - Controlled Folder Access not enabled).

View attachment 230118
Did anyone test this POC recently?


did you set SONAR to intense/aggresive ??
F7416794-48DE-47B3-A631-AD457F5574C6.png

Runs successfully on Windows Insider Fast ring. Does not run on a non beta Windows build. I suspect Microsoft patched something recently

Their exploit very explicitly uses "MoveFileExA" with a mapped UNC (like \\.\Something) and certain versions of Windows will not allow renaming files where either the source or destination is a UNC URI.

My modified exploit uses the same API but instead of an UNC path it simply maps a drive letter into My Documents, Q in this case. This is sufficient to bypass some forms of antiransomware, which has my jaw dropped. I'll double check against CFA on both regular and beta Windows builds. It never fails to rename for me -- drive letters seem accepted but theoretically any non stupid anti-malware should be able to map Q: back to the original My Documents location.



As an aside, DeepGuard static heuristics refuse to allow their POC to run at all, W32/Malware. I disabled F-Secure to try their POC on this machine.


EDIT: Forgot about the SONAR question. Yes, in my testing, SONAR and static heuristics were set to their maximum settings. Quite honestly Norton is not good at (zero day) ransomware protection -- it does not mind unknown executables tampering with My Documents contents, but it is highly sensitive to behaviors like phoning home, registering for startup, containing code that looks for antivirus process names, etc. I kind of sympathize with their approach because protecting My Documents from modifications tends to result in false positives without careful whitelists -- Steam and Blizzard games often receive daily updates and those games love to mess with My Documents subdirectories

EDIT 2: Clarified my critique of Norton above applies specifically to true unknown ransomware. For variants of existing malware, I found that their heuristic detection "AdvML.C" frequently trips on things they don't yet have signatures for.
 
Last edited:

Andy Ful

Level 51
Verified
Trusted
Content Creator
View attachment 230119

Runs successfully on Windows Insider Fast ring. Does not run on a non beta Windows build. I suspect Microsoft patched something recently

Their exploit very explicitly uses "MoveFileExA" with a mapped UNC (like \\.\Something) and certain versions of Windows will not allow renaming files where either the source or destination is a UNC URI.

My modified exploit uses the same API but instead of an UNC path it simply maps a drive letter into My Documents, Q in this case. This is sufficient to bypass some forms of antiransomware, which has my jaw dropped. I'll double check against CFA on both regular and beta Windows builds. It never fails to rename for me -- drive letters seem accepted but theoretically any non stupid anti-malware should be able to map Q: back to the original My Documents location.



As an aside, DeepGuard static heuristics refuse to allow their POC to run at all, W32/Malware. I disabled F-Secure to try their POC on this machine.
If your POC works with standard rights then you should send it to Microsoft (they pay for such exploits).:)(y)
 

MacDefender

Level 4
Verified
I tested more this morning and here's a rough summary of my findings. It's kind of surprising actually ....


"RIPlace using a non drive letter": this configuration, if successful, defeats CFA as well as any antiransomware protection that relies on protecting specific folders. It basically causes the "is this file inside this folder?" check to fail, and it also causes the API to move the file (MoveFileExA) to report it failed but it actually succeeds. This seems like a Windows bug to me -- MoveFileExA is being inconsistent in its behavior by allowing a path spec that almost no other Windows API thinks is valid. You can't even use Windows Explorer to look at the \\.\RIPlace\ location. With that said, some builds of Windows 10 are not susceptible: MoveFileExA doesn't cause the file to become renamed.

"RIPlace using a drive letter": this technique works on every build of Windows I've tried. Basically you can use the CreateDOSDevice API to map a drive letter on to any path. It is the same underlying API that is used by the SUBST command in DOS. This defeats CFA's ability to protect subfolders. For example if you have a "My Documents\test\" directory, CFA should protect the "test" directory if you protect My Documents. However, if you map the test directory as a DOS drive letter, CFA won't protect accesses through the DOS drive unless you add the test subdirectory explicitly to CFA protected folders. IMO this is not very exploitable because CFA does not allow you to read protected folders at all so an attacker has to know that the folder exists by that name.

F-Secure and Emsisoft both did really well in these tests and blocked all forms of this attack that I found. They do so by having ransomware protection not care about what directories are protected. Unknown reputation processes that open any file and then later delete it are considered ransomware behavior.

Using this DOS device technique with a drive letter eventually got Symantec Endpoint Protection 14.2 to trigger for the first time. SONAR flagged my binary as suspicious with high confidence but it failed to block it! Every time it encrypted a file, the program paused for about 5 seconds, and SEP event logs say that it quarantined the offending binary (which was true) but it did not kill the binary from running. It also deleted the ".encrypted" ransom file but did not block the binary from deleting the original so you end up losing both the document and the encrypted version of it (!!!). Note that if I don't use a DOS device and directly start encrypting My Documents, SEP never reacts. Consumer Norton 360 does not react to either attack vector. I found this super interesting, seems like SONAR is tuned differently on their consumer vs business products. On SEP I put Sonar to the maximum settings.

One thing cool about SONAR is that as soon as the binary got flagged as malicious, SONAR stopped allowing me to execute it again to retest. I had to recompile the binary to change the hash. No other cloud service reacted so quickly to one endpoint flagging a test binary.


Overall this is kind of neat but I don't think this is a doomsday exploit. Most AVs seem to understand that DefineDOSDevice is a suspicious API call and it is really hard to mask the fact that you're calling that. There are many ways for ransomware to cleverly gain read and write access to user documents and this is just yet another of those techniques.


My observations still stand that Emsi and F-Secure lead the industry on ransomware protection through behavior blocking.
 

MacDefender

Level 4
Verified
@Mjolnir RIPlace demo tool can't do anything.
It sounds like you have a Windows config that doesn't respect this form of MoveFileEx.

Honestly the actual demo is a bit of a letdown.... The technique is sorta interesting but it was over the top to turn it into a tirade directed at almost everyone in the industry except for two vendors that supposedly got back to him.

I was doing some research and it turns out this is not original. A lot of malware use DefineDosDevice in interesting ways to evade AV software.
 

Umbra

Level 22
Verified
I’m kind of confused by that actually — I had also assumed this would require UAC elevation but it did not on any of my test VMs. Unless I misunderstood and came up with yet another ransomware zero day!
[...]
Even hypothetical UAC requirements aren’t super reassuring. Basically every installer requests UAC elevation.... even Rufus for creating USB sticks asks for it and surely we’ve all used that here!
What level of UAC did you used? default...?
 

MacDefender

Level 4
Verified
UAC as default is like no UAC, it's useless.
UAC must be at max to afford some decent protection.
Tried putting UAC at max, for RIPlacer it doesn't seem to have an impact on the exploit succeeding. However, whether or not you elevate the process does seem to change some details about how the exploit works: Virtual Disk Drivers, UAC and NT

Namely, if you request elevation before the operation, then the DOS device gets defined global to the system and not local to the user. But this isn't an auto-elevating API, you have to ask for elevation beforehands.