A Cambridge University study determined that a coordinated ransomware attack could cost the global economy $184 billion and RIPlace makes it incredibly easy for a hacker to do this. RIPlace uses legitimate file system rename operations in a way that makes it invisible to security software, and two lines of code are all that are required to leverage it. Unfortunately, instead of proactively fixing this major vulnerability, the industry has chosen to wait for the inevitable attack.
To learn more about the risk, Digital Journal caught up with Nyotron CTO/co-founder Nir Gaist about this issue. Nyotron is an information-security company.
Digital Journal: What is the current state of play with cyber-threats?
Nir Gaist: Account compromise through phishing and ransomware is continuing to be extremely successful, especially across healthcare and state and local institutions. That’s not going to change in 2020.
DJ: Where are these threats coming from?
Gaist: These days, the predominant source of attacks is organized cybercrime organizations. Of course there are students, script kiddies, 1-2 person wannabe operations, and nation-state actors, but the largest volume is coming from the organized crime syndicates that operate at a scale of vertically integrated corporations with revenues going into tens and hundreds of millions of dollars.
DJ: What is RIPlace?
Gaist: RIPlace is a Windows evasion technique that, when used to maliciously alter files, bypasses most existing ransomware protection technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes. Basically, in the wrong hands, RIPlace has the potential to unleash unstoppable ransomware with an impact dwarfing that of the WannaCry or NotPetya attacks.
DJ: Where does RIPlace originate from?
Gaist: The RIPlace technique is the discovery of Nyotron’s Research Team.
DJ: How did Nyotron discover the ransomware?
Gaist: We have not seen the RIPlace evasion technique used in the wild yet. However, we believe it is just a matter of time. Cybercriminals often leverage disclosed vulnerabilities within days if not hours. Unfortunately, this technique is trivial to use, requiring literally two lines of code to implement.
DJ: What can businesses to do protect themselves from RIPlace and similar ransomware?
Gaist: We provide guidance to businesses regarding RIPlace at https://www.nyotron.com/riplace/ along with a free tool to check for susceptibility to this evasion technique. Unfortunately, only a few security vendors (along with Nyotron of course) took proactive action to implement protection against this technique, which means that the majority of users and organizations around the globe remain unprotected from any ransomware that chooses to utilize RIPlace.