A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.
By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition - encrypting files.
As reported by BleepingComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept, and recorded a demo video showcasing how it’s done.
DLL hijacking
DLL hijacking exploits how apps search and load memory in the Dynamic Link Library (DLL) files. A program that does not have enough checks can load a DLL from a path outside its directory, essentially elevating privileges and allowing for arbitrary code execution.
In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It is also important, the researcher stresses, that the DLL is placed in a location where ransomware operators usually place and run their malware (opens in new tab), such as a network location with key data.
> The number of ransomware attacks continues to skyrocket - but that's not even the worst part (opens in new tab)
> These fake Windows 10 updates will land you with a ransomware infection (opens in new tab)
> This spiteful new ransomware strain is even more dangerous than usual (opens in new tab)
That would kill the ransomware in its inception.
What makes this method even more deadly is the fact that it can’t be classified as a security solution, and as such, cannot be bypassed in the way ransomware strains usually bypass antivirus (opens in new tab) and other cybersecurity solutions.
The big question is - how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if this is a newly discovered flaw, it’s probably only a matter of time before it gets patched up.
Unfortunately, ransomware operators are quite fast and diligent, and we can expect the hole to be plugged sooner, rather than later.
- Defend your devices from ransomware with the best endpoint protection services right now (opens in new tab)
Via: BleepingComputer (opens in new tab)