RIPlace Evasion Technique exploits Windows 10 and antiviruses

Ransomware attacks are getting common nowadays. The ability to change a few lines of code and emulate the same ransomware with different names makes it a deadly weapon for hackers.

A similar process known as RIPlace Evasion technique was discovered by leading security researchers at the endpoint protection firm Nyotron. This method is effective against devices that run the latest computer security solutions and updated system patches. Read on to know more about this advanced ransomware technique.

How does the RIPlace Evasion Technique Work?

RIPlace Evasion technique was discovered by Cybersecurity experts in Nyotron around the spring of 2019. During that time, this new ransomware bypass method was not taken seriously since it was not being used for Ransomware attacks. However, the whole process is catastrophic for the computing devices. Here is how it works:

1. Almost all ransomware function by opening and reading the files. Then the files are encrypted and the original files are destroyed by either renaming or replacing them.
2. A special method of renaming or replacing the file is known as RIPlace Evasion technique.
3. The Ransomware infection uses a legacy file system “rename” operation.
4. Using specific coding instructions, the ransomware can then bypass modern antivirus solutions and encrypt files.

What did the security vendors do so far?

Once the advanced ransomware was detected, researchers contacted leading security providers, Microsoft, government authorities and law enforcement.

Nyotron actually tested RIPlace to check whether security vendors like Symantec, Microsoft, McAfee, Carbon Black, Kaspersky, Cyclance, Malwarebytes etc. were effective against the new technique. They failed to counter the new ransomware.

A few Security solution providers did acknowledge the issue. But, Carbon black and Kaspersky were the only vendors who updated their software to prevent the RIPlace Evasion technique.

How to safeguard your computing devices?

Nyotron has posted two videos showcasing the bypass method of RIPlace for Symantec and Microsoft Defender Antivirus. They have given a free tool to test the computers and antivirus against RIPlace.

However, experts advise exercising caution while browsing the internet and opening spam emails. They suggest users to utilize official applications and update their antivirus and windows 10 to the latest version. Apparently, this will ensure that computers are not infected with the RIPlace ransomware.

Hits: 198