A lone-wolf researcher has turned the table on the hackers

Representational image of a cybercriminal
(Image credit: Pixabay)

A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.

By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition - encrypting files. 

As reported by BleepingComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept, and recorded a demo video showcasing how it’s done. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

DLL hijacking

DLL hijacking exploits how apps search and load memory in the Dynamic Link Library (DLL) files. A program that does not have enough checks can load a DLL from a path outside its directory, essentially elevating privileges and allowing for arbitrary code execution. 

In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It is also important, the researcher stresses, that the DLL is placed in a location where ransomware operators usually place and run their malware, such as a network location with key data. 

That would kill the ransomware in its inception.

What makes this method even more deadly is the fact that it can’t be classified as a security solution, and as such, cannot be bypassed in the way ransomware strains usually bypass antivirus and other cybersecurity solutions. 

The big question is - how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if this is a newly discovered flaw, it’s probably only a matter of time before it gets patched up. 

Unfortunately, ransomware operators are quite fast and diligent, and we can expect the hole to be plugged sooner, rather than later.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.