The REvil gang has upgraded its ransomware to allow them to reboot an infected device after encrypting its storage, MalwareHunterTeam reported via Twitter.
Researchers say that REvil operators have added two new command lines called ‘AstraZeneca’ and ‘Franceisshit’ in Windows Safe Mode, which allows them to access the Windows devices’ startup setting screen and run the malware in Safe Mode.
“‘AstraZeneca’ is used to run the ransomware sample itself in the safe mode, and ‘Franceisshit’ is used to run a command in the safe mode to make the PC run in normal mode after the next reboot,” MalwareHunterTeam tweeted.
Emsisoft threat analyst Brett Callow told ISMG: “While not unique, the approach is certainly unusual. The most likely reason for REvil introducing this functionality is that it may enable their ransomware to avoid detection by some security products.”
Booting a Windows computer in safe mode can disable antivirus or anti-ransomware software, which would allow the attackers to make changes that may otherwise security tools would prevent in normal running mode.
MalwareHunterTeam advises organizations they prevent such attacks by monitoring computers for unexpected reboot activities. Ans having an effective data loss prevention solution in place would also help.
In addition, Kron advises that since REvil primarily uses compromised Remote Desktop Protocol (RDP) sessions and email phishing, organizations need to secure all internet-accessible RDP instances, preferably with multifactor authentication, and that their employees undergo high-quality security awareness training.
Also known as Sodinokibi and Sodin, the REvil gang first appeared in April 2019.
This is not the first time the REvil gang upgraded its malware and changed its extortion tactics. It now reportedly targets larger organizations in search of much bigger ransom payments.
In a recent McAfee report, the company said REvil affiliates mainly used RDP brute-forcing, phishing, and malicious script injection to infect its victims.