A lone-wolf researcher has turned the table on the hackers

By Sead Fadilpašić
published

Conti, REvil, LockBit all exploited to block ransomware encryption

Representational image of a cybercriminal
(Image credit: Pixabay)

A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.

By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition - encrypting files. 

As reported by BleepingComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept, and recorded a demo video showcasing how it’s done. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

DLL hijacking

DLL hijacking exploits how apps search and load memory in the Dynamic Link Library (DLL) files. A program that does not have enough checks can load a DLL from a path outside its directory, essentially elevating privileges and allowing for arbitrary code execution. 

In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It is also important, the researcher stresses, that the DLL is placed in a location where ransomware operators usually place and run their malware (opens in new tab), such as a network location with key data. 

Read more

> The number of ransomware attacks continues to skyrocket - but that's not even the worst part (opens in new tab)

> These fake Windows 10 updates will land you with a ransomware infection (opens in new tab)

> This spiteful new ransomware strain is even more dangerous than usual (opens in new tab)

That would kill the ransomware in its inception.

What makes this method even more deadly is the fact that it can’t be classified as a security solution, and as such, cannot be bypassed in the way ransomware strains usually bypass antivirus (opens in new tab) and other cybersecurity solutions. 

The big question is - how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if this is a newly discovered flaw, it’s probably only a matter of time before it gets patched up. 

Unfortunately, ransomware operators are quite fast and diligent, and we can expect the hole to be plugged sooner, rather than later.

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news