Nyotron Discovers Technique that Renders Ransomware Invisible to Security Software

“RIPlace” Method Enables Creation of Undetectable Attacks that Could Dwarf WannaCry


SANTA CLARA, Calif., November 21, 2019 – Nyotron, provider of the industry’s first automatic Endpoint Detection and Response (EDR) solution that both detects malware and prevents damage to endpoints in real-time, today announced it has discovered a new Microsoft Windows file system technique that enables cyberattackers to maliciously encrypt files in a way that existing anti-ransomware products cannot detect. The company has alerted security vendors of the threat it has named “RIPlace,” and released a free tool that allows users to check their systems for exposure to the technique.

Ransomware has been around since 1989, yet remains one of the most common and successful attack types, causing billions of dollars in damages worldwide every year. The Verizon 2019 Data Breach Investigations Report (DBIR) states that ransomware accounts for nearly 24 percent of all incidents where malware was used last year, making it the second most common type of malware reported.[1]

The combination of timely patching and using modern antivirus solutions helps stop some ransomware. However, RIPlace can bypass these defenses by using a legacy file system “rename” operation. It takes only two lines of code for hackers to unleash this technique.

“A Cambridge University study estimates that a coordinated ransomware attack could cost the global economy more than $180 billion, and RIPlace has the power to facilitate just such an attack,” said Nyotron Founder and CTO, Nir Gaist. “We have followed responsible disclosure practices, and encourage all security vendors to proactively address this major issue, rather than reactively waiting for RIPlace to be used in an attack.”

Nyotron’s free tool enables users and organizations to check their systems for the RIPlace vulnerability. If the system is deemed to be at-risk, the tool provides solution recommendations. To learn more about RIPlace and find out if your system is susceptible, please visit https://www.nyotron.com/riplace

To watch the RIPlace technique used to bypass Windows Defender, please visit https://youtu.be/S2On-R6ecik


Follow Nyotron:


About Nyotron

Nyotron pioneers a new generation of automatic Endpoint Detection and Response with integrated protection called Endpoint Prevention and Response (EPR). Our product prevents damage from malware that evades existing security layers and offers granular visibility into the attack. Based on the OS-Centric Positive Security, Nyotron’s PARANOID automatically whitelists trusted operating system behavior and rejects everything else. No manual threat hunting, baselining, machine learning or cloud connectivity required. With PARANOID organizations gain true defense-in-depth protection against the most advanced attacks. Nyotron is headquartered in Santa Clara, CA with an R&D office in Israel.


[1] Source: 2019 Verizon Data Breach Investigations Report (DBIR): https://enterprise.verizon.com/resources/reports/dbir/