RIPlace Evasion Technique
In Spring 2019, Nyotron’s Research team discovered an evasion technique that could allow malicious actors to alter files (including encryption) in a way that enables them to bypass most antivirus, anti-ransomware and Endpoint Detection and Response (EDR) solutions’ detection capabilities. The technique leverages documented Microsoft Windows file system rename operations in a way that makes them invisible to security products’ filter drivers.
Example of RIPlace technique in action
We have followed the responsible disclosure policy by informing Microsoft, security vendors and all relevant law enforcement and regulatory authorities. Now, we have released a detailed report about the RIPlace technique, and a free testing tool any organization can download to check its systems.
Download free RIPlace testing tool to find out whether you are vulnerable