The notorious REvil ransomware (opens in new tab) has refined its attack vector once again to change the victim's login password (opens in new tab) in order to reboot the computer into Windows (opens in new tab) Safe Mode.
While malicious groups are always updating their attack methodology to counter security measures, the threat actors behind the REvil ransomware are particularly adept at honing their malware (opens in new tab) to make their attack campaigns more efficient. Security researchers recently accused REvil of targeting Acer’s back office computers, demanding a record $50 million ransom (opens in new tab).
Just last month security researchers learnt of REvil’s new methodology that enabled the threat actors to encrypt their victim’s file by rebooting into the Windows Safe Mode.
- These are some of the best endpoint protection software (opens in new tab) offerings around
- We’ve also compiled a list of the best antivirus products (opens in new tab)
- Here are the best firewall apps and services (opens in new tab)
Not-so-Safe Mode
Researchers believed this new attack strategy was designed as a means to bypass detection by Windows security mechanisms as well as any other protections employed by the user.
The Safe Mode also ensured the ransomware wouldn’t be interrupted by processes with higher privileges such as backups (opens in new tab), and servers.
Although that’s quite a novel approach, it relied upon someone to manually reboot Windows into the Safe Mode. The new changes as reported by Bleeping Computer however automates the process.
The latest version of the ransomware will first change the user password, reportedly to DTrump4ever, and then reconfigure a few registry values to enable Windows to automatically login with the updated authentication information.
- These are the best password recovery (opens in new tab) services right now