The REvil (Sodinokibi) ransomware has been the subject of several news articles related to cybersecurity in recent months. For example, one of the most notorious was the infection suffered by Acer, with a ransom of 50 million dollars that rose to 100 million when the demands of the cybercriminals were not met.
Recently, the Taiwanese company "Quanta Computer" - Apple's official supplier - has also been affected by this ransomware-as-a-service (RaaS), demanding the same amount of money that they had asked from Acer at the time.
Like all products, and malware of this type, it receives updates to better pursue its purposes. In this case, we are presenting a new variant whose way of operating was discovered in March, and which allows Windows to be configured to auto-login in Safe Mode.
REvil emerged around 2019, and is one of the most talked about RaaS in recent months. As is often the case, the final deployment of the ransomware is accompanied by preliminary steps in which various components are used to configure persistence pathways on the computer, as well as reconnaissance, privilege escalation or lateral movements. For example, IcedID (bokbot, IceID) is a trojan commonly used to schedule persistence by scheduling tasks in the operating system, prior to the execution of REvil.
Once REvil compromises the system, the note that we see in the following image or a similar one is displayed. At that point, the system is already infected by the malware.
REvil hijack note
Booting in Safe Mode is a resource that can be used to bypass traditional antivirus scanning, and it's nothing new. For example, the Snatch ransomware already used it. In that case, the malware added the Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service, and used the bcdedit.exe tool, available through the command console, to boot in Safe Mode.
The version of REvil that incorporates this feature allows it to be run with the -s mode flag to restart the computer in Safe Mode, but it will also modify entries in the Windows registry corresponding to Winlogon, to automatically log in with the credentials used by the malware. Specifically, we will see changes in the values: AutoAdminLogon, DefaultUserName, DefaultPassword. The latter has been given the curious and not so inconspicuous value of “DTrump4ever”.
Windows registry entry with default password DTrump4ever
The ability to automate encryption via Safe Mode startup (-smode) to bypass security controls was already present in this malware, but what makes this new version possible is a refinement of the existing version, enabling auto-login by means of changing credentials. In this way, it seeks to go unnoticed by the user.
However, this does not happen in all cases. As discussed in a recent report by The DFIR Report, the ransomware does not always run with the -smode flag and instead runs a DLL to encrypt the system without requiring a reboot in Safe Mode. This will depend on how the malware load has been implemented, but in any case it is interesting to know that new samples may have this feature implemented.
Apart from the updates that are typical of any malware and that try to circumvent the detection and monitoring mechanisms, the updates in the operation of ransomware are generally aimed at reducing encryption time and also incorporating features such as the current one to decide whether the encryption will be done without requiring the startup in Safe Mode or if, on the contrary, the computer will be forced to restart, circumventing security solutions to the extent possible.
This also is aimed at minimizing any possible interaction with the user by establishing a default password. The development of malware is taking a turn in which its way of operating is prepared for multiple scenarios in which the form of deployment will be decided at the last minute.
In any case, in the laboratory tests carried out, the startup in Safe Mode is noticeable if the user is aware of the restart as well as of the computer's usual behavior. As in other cases, it is essential to mitigate the effect of this type of attack, being familiar with how it operates and its possibilities, in addition to eliminating the assumption held by many that booting in Safe Mode is, indeed, safe.