The REvil/Sodinokibi ransomware has been updated with a new ability that lets threat actors automatically login after a reboot in Safe Mode to proceed with file encryption. The new capability has been reported by an independent security researcher on their Twitter account.
In March, we reported about REvil’s upgrade that added encryption in Windows Safe Mode that can be enabled using the -smode command-line argument. Malware then would reboot the device in Safe Mode and perform the encryption of files. The Safe Mode would allow attackers to evade detection by security software and to shut down backup software, database servers, or mail servers to easier encrypt data. However, that REvil version required someone to manually login to Windows Safe mode before encrypting, which security software could detect.
On March 26, a security researcher R3MRUM reported a new sample of the REvil ransomware that can change the current user’s password and make Windows automatically login on reboot in Safe Mode.
The researcher found that now when the new REvil sample uses the -smode argument for Safe Mode, the ransomware can change the current password to “DTrump4ever.” The ransomware configures certain Registry entries to instruct Windows to automatically login with the new account information upon a reboot. These entries are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“AutoAdminLogon”=”1”
“DefaultUserName”=”[account_name]”
“DefaultPassword”=”DTrump4ever”
While at least two samples of REvil ransomware encryptor uploaded to VirusTotal in the past two days use the same ‘DTrump4ever’ password, it is unknown if new samples continue to use this password.
These changes is another reminder that ransomware gangs continuously upgrade their malware and tactics to achieve their ransom goals.
Among other new tactics of the REvil gans is performing DDoS attacks on victims and revealing sensitive information to the victims’ business partners if a ransom is not paid.
