REvil Hacking Group Changes Windows Passwords

The hacker group that hit Acer with a $50 million ransomware attack on March 25, 2021 is working on its new victims. REvil recently stated that their goal is to make $2 billion in ransomware attacks in one year and boasted its $100 million in earnings for a previous year. 

REvil Ransomware Logs Windows Into Safe Mode

Last month, REvil added a new ability to encrypt files in Windows Safe Mode that seemingly assists in evading security detection. Windows Safe Mode is a startup method that loads only the necessary software and drivers needed for the operating system to function. This is commonly used to run administrative and diagnostic tasks.  

Programs that were installed in Windows to start automatically do not start in Safe Mode, unless configured to do so. To bypass this autostart, REvil created two RunOnce keys of which one will be used to force an uninterrupted restart of Windows and the other to relaunch the REvil ransomware. Both RunOnce entries are automatically deleted by Windows. 

New Version Changes Windows Passwords

The previous ransomware version required a manual login for the encryption to begin. Security reseacher, R3MRUM, discovered a new version of REvil’s Safe Mode encryption that changes the user’s password and configures Windows to automatically login on reboot. According to Bleeping Computer, the user’s password was changed to ‘DTrump4ever’ in the following Registry values.

It’s not clear if this password will continue to be in use, but it was the same used in two discovered samples. 

This is just the latest strategy that the group has added to its tactics in its ransomware-as-a-service (RaaS), including VoIP calls and DDoS attacks. 

image source: https://economictimes.indiatimes.com/