In an interesting turn of events, a researcher has found exploits in the most common ransomware threats. Ransomware families such as LockBit, REvil, Conti, and Black Basta have bugs, which if exploited, prevent them from encrypting any files.

Exploitable bugs in malware

The researcher named hyp3rlinx claims that all the malware samples are exposed to DLL hijacking, a method used to inject malicious code into a genuine app. The bug could be exploited to stop file encryption.
  • To exploit vulnerabilities in the malware, the researcher created an exploit code and compiled it into a DLL with a certain name so that the malicious code identifies it as its own and loads it to the encryption process.
  • The researcher has provided a report that explains the type of vulnerability being spotted, the hash of the sample, and a PoC exploit, along with a demo video for each of the malware, including LockBit, REvil, Conti, and Black Basta.

How does it work?

The researcher states that in order to disengage the ransomware family attacks, the DLL should be placed in a location where cybercriminals run their ransomware (e.g. network location with important data).
  • Once the exploit DLL is loaded, the ransomware process should terminate before starting encryption.
  • While malware can stop security solutions on the infected machine, it can’t do anything against DLLs since they are just files saved on the host’s disk, or stay ideal until being loaded.
  • If the malware samples are recent, it is possible that the exploit will work only for a shorter period of time. The ransomware groups may fix these bugs as soon as they are spotted publicly.

The Malvuln project

hyp3rlinx’s work is being tracked under the name of the Malvuln project, focusing on discovering vulnerabilities in different types of malware pieces, such as trojans, backdoors, spyware, and infostealers (e.g. RedLine).

Conclusion

Exploiting bugs in ransomware to stop encryption is indeed a good way to stop such prominent ransomware. Further, the Malvuln project could help the security community develop adequate counter-measures. 

Cyware Publisher

Publisher

Cyware