Here we can see, “REvil Ransomware Automatically Logs Windows Into Safe Mode”
- If a device has been infected with the REvil ransomware, it will automatically boot into Safe Mode.
- The malicious code has been updated, and the user does not need to take any action.
- A good antivirus program is the best defense against this form of ransomware assault.
- According to reports, even after the adjustments, most antivirus software can detect REvil ransomware attacks.
REvil/Sodinokibi ransomware has modified its assault strategies to ensure access to victims’ operating systems, according to recent security research.
The alterations only allow the malware to encrypt the files by changing the user’s system login password and forcing a system reboot. Both previous and newer versions of the Windows operating system are vulnerable.
On his Twitter account, researcher R3MRUN shared the findings of the study.
How does the REvil ransomware use Safe Mode to force a login?
Previously, the ransomware would have rebooted the device into Safe Mode with the -smode command-line argument, but it required the user to manually access that environment.
Given that Safe Mode is intended to be…safe, and is even advised as a secure environment for malware cleaning in the event of system malfunction, this is a clever and innovative cyberattack strategy.
Furthermore, processes are not halted by security software or servers while in Safe Mode.
The ransomware code has been conveniently updated to avoid raising suspicions. The ransomware now alters the user’s password to DTrump4ever while utilizing the -smode parameter, according to the texts.
As a result, the malicious software changed a few Registry entries, and Windows rebooted using the new credentials.
It’s thought that the following code was used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon=1
DefaultUserName=[account_name]
DefaultPassword=DTrump4ever
The researcher also mentioned two VirusTotal sources, one with and one without the updated assault sample. The most dependable technique to safeguard your PC from such an attack is to use a reputable antivirus.
Conclusion
I hope you found this guide useful. If you’ve got any questions or comments, don’t hesitate to use the shape below.
User Questions:
1. Is it possible to run ransomware in safe mode?
Because endpoint protection programmes do not run in Safe Mode, running the systems in Safe Mode will allow the virus to encrypt victims’ files without being interrupted. Other ransomware families, such as the Snatch, REvil, and BlackMatter ransomware families, have utilised a similar method in the past.
2. Is there a way to block ransomware in safe mode?
While rebooting in safe mode is effective for eliminating older screenlocker ransomware, it is not advised when dealing with current ransomware that encrypts files.
3. What is REvil ransomware, and how does it work?
Ransomware, which is simply a file-blocking virus that encrypts files after infection, is used by gangs like REvil. The organisation then sends a ransom request message to the victims after the data has been taken and rendered inaccessible to them.
4. Crticial Ransomware Incident in Progress : r/msp – Reddit
5. Kaseya Ransomware Attack Taking Place. : r/sysadmin – Reddit