RIPlace Evasion Technique

In Spring 2019, Nyotron’s Research team discovered an evasion technique that could allow malicious actors to alter files (including encryption) in a way that enables them to bypass most antivirus, anti-ransomware and Endpoint Detection and Response (EDR) solutions’ detection capabilities. The technique leverages documented Microsoft Windows file system rename operations in a way that makes them invisible to security products’ filter drivers.

Example of RIPlace technique in action

We have followed the responsible disclosure policy by informing Microsoft, security vendors and all relevant law enforcement and regulatory authorities. Now, we have released a detailed report about the RIPlace technique, and a free testing tool any organization can download to check its systems.

How to Secure My Organization?

Download free RIPlace testing tool to find out whether you are vulnerable


RIPlace is an evasion technique that allows for malicious alteration of files without being detected by most AV or Endpoint Detection & Response (EDR) products.
Not only does RIPlace enable the bypassing of antivirus (including so called next-generation antivirus or NGAV), it leaves no trace in Endpoint Detection & Response (EDR) tools. It’s also extremely easy for attackers to deploy, as implementation requires only two lines of code.
Not exactly. Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products.
Contrary to some earlier reports, RIPlace technique does not require privilege escalation. One can abuse RIPlace to overwrite any files the user has access to.
The odds are not in your favor, see above.
All versions of Microsoft Windows starting from Windows XP to the latest updated Windows 10 with fully up-to-date AV, NGAV and EDR security products installed. Nyotron PARANOID customers are protected from RIPlace technique.
The technique can be used to corrupt files by replacing them using the rename file system function. The RIPlace is a combination of the replacing function and Rest in Peace (RIP), as the original file is likely gone for good.
Yes. Nyotron in Spring 2019 began communicating with Microsoft and dozens of security vendors to ensure this technique is appropriately handled. Unfortunately, only a handful of security vendors have acknowledged the fix.
Join our webinar on Thursday, December 12 at noon Pacific/3pm Eastern (or listen to the recording) or read our blog article.
Yes, Nyotron offers a free tool to test your system and security products against RIPlace evasion technique.