This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there any official word from Sophos regarding the RIPlace ransomware threat?

Nyotron is reporting a new strain of ransomware that can bypass most malware protection.  

https://www.nyotron.com/blog/nyotron-discovers-potentially-unstoppable-ransomware-evasion-technique-riplace/

 

I ran their test tool.  Intercept-x flagged it as a generic PUA. I made an exception for the PUA and let the test run. The tool was able to successfully encrypt my test files, which to me, indicates that Intercept-X isn't able to block it. I hope that's not the case.

 

 



This thread was automatically locked due to age.
  • Hello  

    Sophos uses various detection techniques, however without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs via our web submission link: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx. From there choose "Submit a sample file" and provide the requested information.

    Thank you very much!

    Regards, 

     
    DianneY
    Technical Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • Hi DianneY.

    I don't have a sample, as I have not come across this particular threat yet. Its really a question of will my clients be protected should it start making its rounds.

    Nyotron has a full article on the issue (https://www.nyotron.com/riplace), as well as testing tool (https://www.nyotron.com/collateral/RIPlace.rar). It was this testing tool that seems to indicate that sophos does not protect against this particular strain.

    The story is making headlines and nyotron is using the opportunity to tout the security of its own products and demonstrate that other A/V vendors are not able to protect as well. I would like to know if sophos protects against the threat, and if not, is it being investigated, preferably before any of my clients start asking me.

  • I tried the same thing and it appears that Intercept X does not catch the technique. I do hope that this is something that Sophos will address it before it does appear.  Thanks.  

    According to bleepingcomputer.com:

    "Nyotron followed responsible disclosure practices by informing security vendors of the issue – six months ago. However, only one vendor was responsive and prompt, addressing the issue in all its products. The rest of the industry (including one major tech vendor) seem to view RIPlace as a non-issue because it has not yet been seen in the wild. "

    https://www.bleepingcomputer.com/news/security/new-riplace-bypass-evades-windows-10-av-ransomware-protection/

  • Hello Derek Higgins,

    just curious - did you also have to make a PUA exception like JamesGolden had? The difference between ransomware and encryption software is basically just that the former doesn't provide the decryption key (usually it does not generate the keys so it even doesn't know it).

    Christian

  • Thanks for your very fast reply.  Yes, I did need to make the exception to even extract the RIPlace.exe.  Our company is on a mission to try to tighten everything up as much as possible, especially seeing what is happening out there.  So, the test software may not be an actual real test because of the keys?  That makes sense, but I don't know the answer to that.  Thanks again for your quick reply. 

  • Hello Derek Higgins,

    haven't tested the software and can't say how it works in detail.
    PUA covers a wide spectrum, from (potential) licensing problems, ""productivity impact", potential misuse, to very dubious. You're advised to carefully asses PUAs you exempt. Subsequently your exemption is honoured - I assume that that the software is nevertheless is not totally free in its actions but it is permitted to "show off".

    Christian

  • Not a good look for Sophos when articles like this come out. Seems the "other" guys have taken this thing seriously but Sophos forum gurus still want us to submit samples. 

     

    https://www.bleepingcomputer.com/news/security/thanos-ransomware-auto-spreads-to-windows-devices-evades-security/?fbclid=IwAR3AjXON5eOnIw-jDg0f02S_LnFGtxpcI98pB405BmLhkUBNsvjTJ0TilAs

  • Hi Matthew,

    If someone is reporting a potential threat, then I think it is fair to request a sample submission; this allows SophosLabs to analyse the file and provide a suitable response as to the threat the file poses and the protection Sophos offers.

    In some cases these claims or disclosures relate to a POC; as it does in this case. Sophos do take threats seriously, do not take a lack of an article to mean a lack of attention! We have various blogs, such as SophosLabs Uncut, that write about new and interesting threats; it is not possible to cover them all, and it appears in this case that we didn't. 

     

    You highlight that the original RIPlace technique is being used in the wild, I will speak to the team and update this thread on info we can share about Thanos ransomware

    Regards,

    Stephen

  • Yes this landed in Intercept X, HitmanPro.Alert are protected also, and so should Sophos Home Premium.

    https://downloads.sophos.com/readmes/sesc_interceptx_rneng.html

    WINEP-23475

    With regards to Thanos, we've only seen the option in the Ransomware Builder, AFAIK there are no samples in the wild (yet) abusing this.

     

    Kind Regards,

    Ronny (Team HitmanPro).

  • Awesome. Good job. There may not be much in the wild right now but you know there will be eventually. Always better to stay ahead of these types of exploits. Thanks for the update.