New REvil Ransomware Version Automatically Logs Windows into Safe Mode
A Recent Change to the REvil Ransomware Allows Threat Actors to Automate File Encryption Via Safe Mode After Changing Windows Passwords.
When it comes to ingenious hacking strategies and techniques, there’s no stopping REvil Ransomware.
Once more, the well-known ransomware has elevated its attack vector to change the victim’s login password in order to reboot the computer into Windows Safe Mode.
While malicious groups are always updating their attack methodology to counter security measures, the threat actors behind the REvil ransomware are particularly adept at honing their malware to make their attack campaigns more efficient.
Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that refines the new Safe Mode encryption method by changing the logged-on user’s password and configuring Windows to automatically login on reboot. When the -smode argument is used, the ransomware will change the user’s password to ‘DTrump4ever.‘
Source: Bleeping Computer
Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information.
According to BleepingComputer, at the moment it is unknown whether or not the new samples of the REvil ransomware encryptor will continue to use the ‘DTrump4ever’ password, but at least two samples uploaded to VirusTotal in the past two days have done so.
This new tactic illustrates the way ransomware gangs constantly evolve their strategies to successfully encrypt users’ devices and demand a ransom payment.
Just last week, world-leading French EMS company Asteelflash confirmed it has been the victim of a cybersecurity incident, recognizing the involvement of REvil ransomware.
The attackers demanded Asteelflash to pay a whopping $24 million ransom after it was initially set to $12 million in Monero crypto. Because the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files.
REvil also launched a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or affiliated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.
PC vendor Acer also became the victim of a REvil ransomware attack. The requested ransom might be the largest one to date, REvil asking for $50 million.