Is there any official word from Sophos regarding the RIPlace ransomware threat?

Nyotron is reporting a new strain of ransomware that can bypass most malware protection.  

https://www.nyotron.com/blog/nyotron-discovers-potentially-unstoppable-ransomware-evasion-technique-riplace/

 

I ran their test tool.  Intercept-x flagged it as a generic PUA. I made an exception for the PUA and let the test run. The tool was able to successfully encrypt my test files, which to me, indicates that Intercept-X isn't able to block it. I hope that's not the case.

 

 

  • Hello  

    Sophos uses various detection techniques, however without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs via our web submission link: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx. From there choose "Submit a sample file" and provide the requested information.

    Thank you very much!

  • In reply to DianneY:

    Hi DianneY.

    I don't have a sample, as I have not come across this particular threat yet. Its really a question of will my clients be protected should it start making its rounds.

    Nyotron has a full article on the issue (https://www.nyotron.com/riplace), as well as testing tool (https://www.nyotron.com/collateral/RIPlace.rar). It was this testing tool that seems to indicate that sophos does not protect against this particular strain.

    The story is making headlines and nyotron is using the opportunity to tout the security of its own products and demonstrate that other A/V vendors are not able to protect as well. I would like to know if sophos protects against the threat, and if not, is it being investigated, preferably before any of my clients start asking me.

  • In reply to JamesGolden:

    I tried the same thing and it appears that Intercept X does not catch the technique. I do hope that this is something that Sophos will address it before it does appear.  Thanks.  

    According to bleepingcomputer.com:

    "Nyotron followed responsible disclosure practices by informing security vendors of the issue – six months ago. However, only one vendor was responsive and prompt, addressing the issue in all its products. The rest of the industry (including one major tech vendor) seem to view RIPlace as a non-issue because it has not yet been seen in the wild. "

    https://www.bleepingcomputer.com/news/security/new-riplace-bypass-evades-windows-10-av-ransomware-protection/

  • In reply to Derek Higgins:

    Hello Derek Higgins,

    just curious - did you also have to make a PUA exception like JamesGolden had? The difference between ransomware and encryption software is basically just that the former doesn't provide the decryption key (usually it does not generate the keys so it even doesn't know it).

    Christian

  • In reply to QC:

    Thanks for your very fast reply.  Yes, I did need to make the exception to even extract the RIPlace.exe.  Our company is on a mission to try to tighten everything up as much as possible, especially seeing what is happening out there.  So, the test software may not be an actual real test because of the keys?  That makes sense, but I don't know the answer to that.  Thanks again for your quick reply. 

  • In reply to Derek Higgins:

    Hello Derek Higgins,

    haven't tested the software and can't say how it works in detail.
    PUA covers a wide spectrum, from (potential) licensing problems, ""productivity impact", potential misuse, to very dubious. You're advised to carefully asses PUAs you exempt. Subsequently your exemption is honoured - I assume that that the software is nevertheless is not totally free in its actions but it is permitted to "show off".

    Christian