By David Cunningham
With Ransomware rapidly spreading and growing in numbers year after year, security endpoints and software vendors have been incorporating various protection mechanisms into their products at an aggressive pace. Commvault’s ransomware protection offerings have been helping customers mitigate ransomware attacks for many feature packs with great success.
However, just like with all things security related, the “hacker world” is constantly evolving and finding ways around protection schemes. In recent news, it has been reported that common ransomware protection techniques offered in many security endpoints have been bypassed. This bypass technique is called RIPlace, and it was first discovered by the security firm Nyotron.
The commonality with most ransomware protection techniques offered by security endpoints is the use of a filter driver. The filter driver “filters” I/O requests such as writes and deletes, and provides a low level mechanism of blocking ransomware from encrypting files in a given file system path. Commvault uses a proprietary method for protecting mount paths from ransomware that shares some similarities to security endpoints.
RIPlace circumvents this filter level driver by reading files, then writing encrypted data from memory and using a rename operation to replace the original file with the encrypted file.
As of November 2019, Nyotron told BleepingComputer that it tested RIPlace against over a dozen security endpoint vendors. At the time, it found that only two security vendors tested were modified to prevent this bypass technique.
In fact I did some digging around, and you can find chatter on Internet forums regarding the validity of the above claims.
There is good news, however. After testing, and looking at the code, we can officially validate that:
Commvault’s ransomware protection feature is NOT affected by the RIPlace bypass!
Commvaults mountpath ransomware protection continues to be a leading solution for protecting backup data! So get the word out!