Data Privacy

Commvault’s Ransomware Protection Is Safe From RIPlace

Commvaults mountpath ransomware protection continues to be a leading solution for protecting backup data and is not affected by the RIPlace bypass, so get the word out!

By David Cunningham

With Ransomware rapidly spreading and growing in numbers year after year, security endpoints and software vendors have been incorporating various protection mechanisms into their products at an aggressive pace. Commvault’s ransomware protection offerings have been helping customers mitigate ransomware attacks for many feature packs with great success.

However, just like with all things security related, the “hacker world” is constantly evolving and finding ways around protection schemes.  In recent news, it has been reported that common ransomware protection  techniques offered in many security endpoints have been bypassed.  This bypass technique is called RIPlace, and it was first discovered by the security firm Nyotron.

The commonality with most ransomware protection techniques offered by security endpoints is the use of a filter driver. The filter driver “filters” I/O requests such as writes and deletes, and provides a low level mechanism of blocking ransomware from encrypting files in a given file system path. Commvault uses a proprietary method for protecting mount paths from ransomware that shares some similarities to security endpoints.

RIPlace circumvents this filter level driver by reading files, then writing encrypted data from memory and using a rename operation to replace the original file with the encrypted file.

As of November 2019, Nyotron told BleepingComputer that it tested RIPlace against over a dozen security endpoint vendors. At the time, it found that only two security vendors tested were modified to prevent this bypass technique.

In fact I did some digging around, and you can find chatter on Internet forums regarding the validity of the above claims.

There is good news, however. After testing, and looking at the code, we can officially validate that:

Commvault’s ransomware protection feature is NOT affected by the RIPlace bypass!

Commvaults mountpath ransomware protection continues to be a leading solution for protecting backup data! So get the word out!

For reference

https://www.nyotron.com/blog/nyotron-discovers-potentially-unstoppable-ransomware-evasion-technique-riplace/

https://www.brighttalk.com/webcast/16267/379495/riplace-does-it-make-ransomware-unstoppable

More related posts
The Top 10 Data Privacy and Protection Priorities for Organizations in 2023
Data Privacy

The Top 10 Data Privacy and Protection Priorities for Organizations in 2023

Jan 24, 2023
View The Top 10 Data Privacy and Protection Priorities for Organizations in 2023
5 Essential Data Privacy Regulations for Businesses to Know in 2023
Data Privacy

5 Essential Data Privacy Regulations for Businesses to Know in 2023

Jan 24, 2023
View 5 Essential Data Privacy Regulations for Businesses to Know in 2023
Wake Up Call: The Privsec Enforcement Problem
Data Privacy

Wake Up Call: The Privsec Enforcement Problem

Jan 24, 2023
View Wake Up Call: The Privsec Enforcement Problem