constellix background

REvil Hacking Group Changes Windows Passwords to Auto-login in Safe Mode

April 8, 2021

The hacker group that hit Acer with a $50 million ransomware attack on March 25, 2021 is working on its new victims. REvil recently stated that their goal is to make $2 billion in ransomware attacks in one year and boasted its $100 million in earnings for a previous year. 

Constellix DNS Logo



Resources:

Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos



Categories:

BlogsNewsPress ReleasesIT NewsTutorials
Book a Free Demo →

Want DNS Freebies?

Give us your email and we'll send you the good stuff.

Thanks for joining our newsletter.
Oops! Something went wrong.



Categories:

Tanya Valdez is a Technical Writer at Constellix. She makes the information-transfer material digestible through her own transfer of information to our customers and readers. Connect with her on LinkedIn.

Connect with
LinkedIn

http://www.linkedin.com/in/tanya-valdez

The hacker group that hit Acer with a $50 million ransomware attack on March 25, 2021 is working on its new victims. REvil recently stated that their goal is to make $2 billion in ransomware attacks in one year and boasted its $100 million in earnings for a previous year. 

REvil Ransomware Logs Windows Into Safe Mode

Last month, REvil added a new ability to encrypt files in Windows Safe Mode that seemingly assists in evading security detection. Windows Safe Mode is a startup method that loads only the necessary software and drivers needed for the operating system to function. This is commonly used to run administrative and diagnostic tasks.  

Programs that were installed in Windows to start automatically do not start in Safe Mode, unless configured to do so. To bypass this autostart, REvil created two RunOnce keys of which one will be used to force an uninterrupted restart of Windows and the other to relaunch the REvil ransomware. Both RunOnce entries are automatically deleted by Windows. 

New Version Changes Windows Passwords

The previous ransomware version required a manual login for the encryption to begin. Security reseacher, R3MRUM, discovered a new version of REvil’s Safe Mode encryption that changes the user’s password and configures Windows to automatically login on reboot. According to Bleeping Computer, the user’s password was changed to ‘DTrump4ever’ in the following Registry values.

It’s not clear if this password will continue to be in use, but it was the same used in two discovered samples. 

This is just the latest strategy that the group has added to its tactics in its ransomware-as-a-service (RaaS), including VoIP calls and DDoS attacks. 

image source: https://economictimes.indiatimes.com/

REvil, cybersecurity, hacker, hacker group, ransomware

Simplify & automate your DNS management.

Learn how we can help with a customized demo.

Get Started
pie diagram dnsdns graph

Constellix DNS News

Sign up for industry news and insights. It'll be worth it.

Sign up for news and offers from Constellix and DNS Made Easy

Thanks for joining our newsletter.
Oops! Something went wrong.