Home Internet Security REvil ransomware has a new ‘Windows Safe Mode’ encryption mode

REvil ransomware has a new ‘Windows Safe Mode’ encryption mode



The REvil ransomware operation has added a brand new potential to encrypt recordsdata in Home windows Protected Mode, prone to evade detection by safety software program and for larger success when encrypting recordsdata.

Home windows Protected Mode is a particular startup mode that permits customers to run administrative and diagnostic duties on the working system. This mode solely masses the naked minimal of software program and drivers required for the working system to work. 

Moreover, any packages put in in Home windows which might be configured to begin robotically won’t begin in Protected Mode until their autorun is configured a sure manner.

One of many methods to create an autorun in Home windows is to create entries beneath the next Registry keys:


The ‘Run’ keys will launch a program each time you log in, whereas the ‘RunOnce’ key will launch a program solely as soon as after which take away the entry from the Registry.

For instance, the next Registry key will robotically begin the C:Userstesttest.exe program once you log in to Home windows.


Nevertheless, the above autorun won’t launch in Protected Mode until you add an asterisk (*) to the start of the worth title like the next:


REvil now features a ‘Protected Mode’ mode

In a brand new pattern of the REvil ransomware found by MalwareHunterTeam, a brand new -smode command-line argument was added that forces the pc to reboot into Protected Mode earlier than encrypting a tool.

To do that, REvil will execute the next instructions to power the pc as well into Protected Mode with Networking when Home windows subsequent restarts.

bootcfg /uncooked /a /safeboot:community /id 1
bcdedit /set {present} safeboot community

It then creates a ‘RunOnce’ autorun referred to as ‘*franceisshit’ that executes ‘bcdedit /deletevalue {present} safeboot‘ after the customers logs into Protected Mode.

RunOnce entry to delete the 

Lastly, the ransomware performs a pressured restart of Home windows that can’t be interrupted by the person.

Proper earlier than the method exits, it should create an extra RunOnce autorun named ‘AstraZeneca,’ presumably about France’s current deliberations about utilizing the vaccine.

This autorun will relaunch the REvil ransomware with out the -smode argument when the subsequent person logs in after the gadget is rebooted. 

AstraZenica autorun entry

It is very important do not forget that each of those ‘RunOnce’ entries might be executed after logging into Protected Mode and can robotically be deleted by Home windows.

On reboot, the gadget will begin up in Protected Mode With Networking, and the person might be prompted to log into Home windows. As soon as they login, the REvil ransomware might be executed with out the -smode argument in order that it begins to encrypt the recordsdata on the gadget.

Home windows may even run the  ‘bcdedit /deletevalue {present} safeboot‘ command configured by the ‘*AstraZeneca’ Registry key in order that the machine can reboot into regular mode when the ransomware is completed.

Whereas REvil is encrypting recordsdata, the Protected Mode display screen might be clean, however it’s nonetheless doable to make use of Ctrl+Alt+Delete to launch the Home windows Process Supervisor. From there, you possibly can see the executable operating, which in our check is called ‘smode.exe,’ as proven beneath.

REvil ransomware running in Safe Mode
REvil ransomware operating in Protected Mode

Whereas operating, the ransomware will stop customers from launching any packages by way of Process Supervisor till it finishes encrypting the gadget.

As soon as the gadget is encrypted, it should permit the remainder of the bootup sequence to proceed, and the desktop might be proven with a ransom observe and encrypted recordsdata.

Device encrypted in Safe Mode
Gadget encrypted in Protected Mode

Uncommon strategy

REvil’s new Protected Mode operation is a bit unusual because it requires customers to log in to the gadget after they restart into Protected Mode.

Moreover, as soon as they log into Protected Mode, they are going to be introduced with a clean display screen, and heavy thrashing of drives because the ransomware encrypts the gadget.

This conduct may trigger customers to change into immediately suspicious and hibernate or shut down their computer systems to be secure.

Because of this, it’s doable that the attackers are manually operating the brand new Protected Mode command towards particular computer systems, akin to digital machines or servers, that they wish to encrypt with out points.

Whatever the causes, that is one other new assault methodology that safety professionals and Home windows admins must be careful for as ransomware gangs always evolve their techniques.

REvil shouldn’t be the one operation to make the most of Protected Mode for encrypting gadgets.

In 2019, one other ransomware often known as ‘Snatch’ additionally added the ability to encrypt a tool in Protected Mode utilizing a Home windows service.

Source link