The notorious REvil ransomware has refined its attack vector once again to change the victim’s login password in order to reboot the computer into Windows Safe Mode.
While malicious groups are always updating their attack methodology to counter security measures, the threat actors behind the REvil ransomware are particularly adept at honing their malware to make their attack campaigns more efficient. Security researchers recently accused REvil of targeting Acer’s back office computers, demanding a record $50 million ransom.
Just last month security researchers learnt of REvil’s new methodology that enabled the threat actors to encrypt their victim’s file by rebooting into the Windows Safe Mode.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Not-so-Safe Mode
Researchers believed this new attack strategy was designed as a means to bypass detection by Windows security mechanisms as well as any other protections employed by the user.
The Safe Mode also ensured the ransomware wouldn’t be interrupted by processes with higher privileges such as backups, and servers.
Although that’s quite a novel approach, it relied upon someone to manually reboot Windows into the Safe Mode. The new changes as reported by Bleeping Computer however automates the process.
The latest version of the ransomware will first change the user password, reportedly to DTrump4ever, and then reconfigure a few registry values to enable Windows to automatically login with the updated authentication information.
Via: BleepingComputer
