REvil Can Now Automatically Change Password To Auto-login in Safe Mode

REvil Can Now Automatically Change Password To Auto-login In Safe Mode

The REvil/Sodinokibi ransomware has been updated with a new ability that lets threat actors automatically login after a reboot in Safe Mode to proceed with file encryption. The new capability has been reported by an independent security researcher on their Twitter account.

In March, we reported about REvil’s upgrade that added encryption in Windows Safe Mode that can be enabled using the -smode command-line argument. Malware then would reboot the device in Safe Mode and perform the encryption of files. The Safe Mode would allow attackers to evade detection by security software and to shut down backup software, database servers, or mail servers to easier encrypt data. However, that REvil version required someone to manually login to Windows Safe mode before encrypting, which security software could detect.

On March 26, a security researcher R3MRUM reported a new sample of the REvil ransomware that can change the current user’s password and make Windows automatically login on reboot in Safe Mode.

The researcher found that now when the new REvil sample uses the -smode argument for Safe Mode, the ransomware can change the current password to “DTrump4ever.” The ransomware configures certain Registry entries to instruct Windows to automatically login with the new account information upon a reboot. These entries are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




While at least two samples of REvil ransomware encryptor uploaded to VirusTotal in the past two days use the same ‘DTrump4ever’ password, it is unknown if new samples continue to use this password.

These changes is another reminder that ransomware gangs continuously upgrade their malware and tactics to achieve their ransom goals.

Among other new tactics of the REvil gans is performing DDoS attacks on victims and revealing sensitive information to the victims’ business partners if a ransom is not paid.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.