Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos
BlogsNewsPress ReleasesIT NewsTutorials
Give us your email and we'll send you the good stuff.
Tanya Valdez is a Technical Writer at Constellix. She makes the information-transfer material digestible through her own transfer of information to our customers and readers. Connect with her on LinkedIn.
The hacker group that hit Acer with a $50 million ransomware attack on March 25, 2021 is working on its new victims. REvil recently stated that their goal is to make $2 billion in ransomware attacks in one year and boasted its $100 million in earnings for a previous year.
Last month, REvil added a new ability to encrypt files in Windows Safe Mode that seemingly assists in evading security detection. Windows Safe Mode is a startup method that loads only the necessary software and drivers needed for the operating system to function. This is commonly used to run administrative and diagnostic tasks.
Programs that were installed in Windows to start automatically do not start in Safe Mode, unless configured to do so. To bypass this autostart, REvil created two RunOnce keys of which one will be used to force an uninterrupted restart of Windows and the other to relaunch the REvil ransomware. Both RunOnce entries are automatically deleted by Windows.
The previous ransomware version required a manual login for the encryption to begin. Security reseacher, R3MRUM, discovered a new version of REvil’s Safe Mode encryption that changes the user’s password and configures Windows to automatically login on reboot. According to Bleeping Computer, the user’s password was changed to ‘DTrump4ever’ in the following Registry values.
It’s not clear if this password will continue to be in use, but it was the same used in two discovered samples.
This is just the latest strategy that the group has added to its tactics in its ransomware-as-a-service (RaaS), including VoIP calls and DDoS attacks.
image source: https://economictimes.indiatimes.com/
Sign up for news and offers from Constellix and DNS Made Easy