Welcome to Bsides Seattle 2020
Back To Schedule
Saturday, October 17 • 12:30pm - 12:55pm
How to Render Ransomware Detection and EDR Products Blind?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Remember WannaCry - the ransomware attack that two years ago infected Windows devices across 150 countries and resulted in an estimated damage of $4B? What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a technique that organizations do not have any protection from?

This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing ransomware protection technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.

The technique leverages an issue at the boundary between a Windows design flaw and improper error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.

I will review existing ransomware detection methods, the workflow of a typical ransomware and provide a live demo of RIPlace bypassing a number of anti-ransomware technologies. Finally, I will share a ransomware testing tool we are releasing for the community to play with.

avatar for Rene Kolga

Rene Kolga

Head of Product, Nyotron

Saturday October 17, 2020 12:30pm - 12:55pm PDT
Track D