BreachExchange mailing list archives
Sodinokibi ransomware can now encrypt open and locked files
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 12 May 2020 09:07:56 -0500
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-now-encrypt-open-and-locked-files/ The Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt more of a victim's files, even those that are opened and locked by another process. Some applications, such as database or mail servers, will lock files that they have open so that other programs cannot modify them. These file locks prevent the data from being corrupted by two processes writing to a file at the same time. When a file is locked, this also prevents ransomware applications from encrypting them without first shutting down the process that locked the file. For this reason, many ransomware infections will attempt to shut down database servers, mail servers, and other applications that perform file locking before encrypting a computer. Sodinokibi now automatically terminates processes locking a file While many ransomware attempts to shut down the most common applications that are known to lock files, they are not going to be able to shut down everyone. In a new report by cybercrime intelligence firm Intel471, researchers have spotted that Sodinokibi is now using the Windows Restart Manager API to close processes or shut down Windows services keeping a file open during encryption. This API was created by Microsoft to make it easier to install software updates without performing a restart to free files that the updates need to replace. "The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service. The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete," Microsoft explains in their API documentation. In addition to using the API while encrypting files, the ransomware developers are also using it in their decryptor. Sodinokibi Decryptor As noted by security researcher Vitali Kremez, in REvil Decryptor v2.2, shown above, the Windows Restart Manager API is being used to make sure no processes are keeping a file open when the decryptor tries to decrypt it. Windows Restart Manager API used in the decryptor Sodinokibi/REvil is not the first ransomware families to utilize this API in their malware as both SamsSam and LockerGoga use it as well. Unfortunately, the use of this API by ransomware infections has both a downside and a benefit. Victims will have an easier time decrypting files after paying a ransom, but Sodinokibi will now be able to encrypt more files, especially critical ones. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Sodinokibi ransomware can now encrypt open and locked files Destry Winant (May 12)