REvil v2.2 Comes Back With Upgraded Capabilities

Sodinokibi or REvil ransomware is back with a bang. Its new feature enables it to encrypt a victim’s files, even the ones that are opened and locked by other ongoing processes.

What is the update

  • Applications such as database and mail servers lock files under use so that they cannot be modified by other programs. This prevents ransomware applications from encrypting them without shutting down the process that locked the file.
  • According to a report by Intel471, REvil uses the Windows Restart Manager API to shut down processes or Windows services keeping a file open during encryption.

How does it work

  • Typically, Sodinokibi opens files for encryption with no sharing. However, it uses the Restart Manager to overcome sharing violations when it tries opening files that are already opened by other processes.
  • Microsoft created the API for the smooth installation of software updates without performing a restart. Instead, it gets exploited for malicious purposes by ransomware.

What are the experts saying

  • Security researcher, Vitali Kremez, noted that the API is being used to ensure that processes do not keep a file open when a decryptor tries to decrypt it.
  • The new version is similar to the previous v2.1 in that they both employ the same persistence mechanism.

Worth noting

  • The API can reduce or eliminate the number of systems required to complete an update or installation.
  • The ransomware operators use the API in their decryptor.
  • Apart from Sodinokobi, other ransomware families employing this API include LockerGaga and SamSam.

In essence

The use of this API by ransomware families has its own pros and cons. The pro is that it will be easier for victims to decrypt a file after paying the ransom. However, the con is that the threat actors would be able to encrypt files easily.