This Windows file system feature helps ransomware encrypt files undetected and within seconds

According to web application security experts from Nyotron, there is a new method that allows threat actors to encrypt Windows files in a special way, which won’t be able to detect the attack.

Ransomware attacks remain very common and keep evolving. A report based on figures from multiple security firms mentions that 28% of cybersecurity incidents reported in the US are related to encryption malware infections, with the operators of these attacks employing resources each time more sophisticated and a clear evolution in the way a malicious campaign is executed.

The latest evolution of this malware shows that developers have struggled to find ways to avoid detection. Experts from Nyotron, a web application security firm from California, US, report the finding of a critical vulnerability dubbed “RIPlace”.

If exploited, the vulnerability would allow threat actors to bypass active protection measures on a system using a legacy file system “rename” option on Windows operating systems. Experts mention that this method of attack requires only a couple of lines of code to execute it.

Nir Gaist, Nyotron founder and research leader, mentions that the company has already reported these vulnerabilities according to the parameters set by the cybersecurity community. Nyotron has also released a free tool to check if a device is vulnerable to this attack.

While this method does not actually hide the malware, it is possible to use it to modify the system files without attracting the attention of most security tools. This is why for hackers it could be useful during a ransomware attack, completing the encryption process stealthily,” adds the web application security expert.

In a proof-of-concept, Nyotron experts demonstrated that a ransomware can use the RIPlace vulnerability to infect devices protected with Windows Defender and other solutions such as Symantec Endpoint Protection.

A few months ago a similar vulnerability was also reported in the software of some Canon cameras. Researchers tried to determine whether a threat actor could abuse the camera’s image transfer protocol to inject encryption malware into the system stealthily.

Although this attack required physical access to the device, web application security specialists from the International Institute of Cyber Security (IICS) consider this to be a sample of the evolution of encryption malware and the ability of the Threat actors to compromise any device with an Internet connection, so it is also necessary for ethical researchers and hackers to find the next step in combating encryption malware.