Threat actors have been updating their tools of malice in order to get past security for monetary gains. One such instance has been observed with REvil Ransomware which has been updated with a new feature that allows its operators to automate file encryption in Safe Mode after changing Windows passwords. A recent update to the safe mode encryption requires manual login to safe mode before the encryption starts.
What Transpired?
A security researcher spotted a new version of the REvil ransomware in March. In this sample, Researchers observed that attackers had redefined its Safe Mode encryption that was earlier signaled as a red flag because of its manual login capabilities.
- The ransomware changes the user’s password to DTrump4ever, when the -smode argument is used in the new variant. To perform automatic login with the new account info, it then configures the registry values.
- It is still unknown if the new variant of the ransomware still uses the DTrump4ever password. However, the samples which were acquired by the researchers were found to be using this password.
- Additionally, causing a Windows system to reboot in safe mode would allow the ransomware operators to make changes that may otherwise not be possible in normal running mode.
Revil Ransomware is one of the most active ransomware in recent times, targeting several well-known entities globally.
- The IT giant Acer was targeted recently by REvil and a $50 million ransom was demanded.
- The operators of REVil also threatened their victims with a DDoS attack if they fail to pay the ransom. The operators also warned about making VoIP calls to the victim’s partners and journalists to tell them about the attack.
The recent disclosures by researchers make it evident that the operators of REvil are looking to enhance its malware and evolve its tactics. This is going to encourage operators of other ransomware to follow the trend. Our internal experts emphasize that staying aware and proactively enhancing the defense system is the recommended way to deal with such challenges.
To read more, please check eScan Blog
