The Sodinokibi ransomware (REvil) continues to evolve, operators implemented a new feature that allows the malware to encrypt victim’s files, even if they are opened and locked by another process.
Many applications lock files to prevent that they could be modified by two processes at the same time. Opened and locked files could no by encrypted by ransomware without first killing the process that locked the file.
For this reason, most of the ransomware shut down popular applications such as DBMS and mail servers that lock files.
Now experts from cybercrime intelligence firm Intel471, discovered a new variant of the Sodinokibi ransomware, namely version 2.2, that leverages the Windows Restart Manager API to close processes or shut down Windows services that locked a file to encrypt them.
“One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. If a process has an open file handle for a specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the Windows operating system (OS).” reads the analysis published by Intel471. “To circumvent this, the REvil developers have implemented a technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga”
The following portion of the ransomware code show the use of the Windows Restart Manager:
Microsoft implemented the Restart Manager API to eliminate or reduce the number of system restarts that are required to complete an installation or update.
“The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service.” states Microsoft’s API documentation. “The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete,”
The popular malware researcher Vitali Kremez noted that the REvil Decryptor v2.2 also leverages the Windows Restart Manager API to shut down any process that could prevent a file being decrypted.
Researchers also shared Indicators of Compromise (IoCs) for the new variant of the ransomware, version 2.2.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Sodinokibi ransomware, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.