New Microsoft file system technique can make ransomware ‘invisible’

21 Nov 2019

Image: © Rymden/

Nyotron has detected a new technique that enables hackers to encrypt Windows files in a way that existing anti-ransomware products cannot detect.

Ransomware is one of the prevalent cybersecurity threats, so much so that according to Verizon’s recent Data Breach Investigations Report, it is the second most common functionality deployed by hackers, appearing in 28pc of all incidents observed.

Now, however, it may have gotten more difficult to detect. Nyotron, a security software company based out of California, has published a report today (21 November) detailing a new vulnerability it has dubbed ‘RIPlace’.

The vulnerability can allow hackers to bypass existing system defences by relying on a legacy file system ‘rename’ option in Microsoft Windows. This bypass can be executed in as little as two lines of code.

Nyotron infographic explaining RIPlace.

Nyotron infographic explaining RIPlace. Image: Nyotron

According to Nyotron founder and CTO, Nir Gaist, the company has followed disclosure practices and encouraged all security vendors to address the vulnerability. Additionally, the company has made a free tool available, which can be used to test whether a system is vulnerable.

The unique method of file modification means that while it does not ‘hide’ malware per se, it is useful for stealthily modifying files on a system. “Hence, from the threat actor perspective, it would likely be most ‘useful’ in ransomware,” Gaist continued.

The company has demonstrated that a proof-of-concept ransomware leveraging RIPlace evasion techniques can infect devices with Windows Defender antivirus and Symantec Endpoint Protection products enabled.

In August, researchers from Check Point discovered a vulnerability in Canon cameras that left them open to ransomware attacks.

The firm investigated whether the camera’s picture transfer protocol could be used to allow a hacker to take over the camera and infect it with ransomware. Though the hacker in this instance needed to be in close proximity to the device in order to infect it, the vulnerability inspired alarm, as well as fears that it could exist on other ‘smart’ devices.

Eva Short was a journalist at Silicon Republic