Skip to content

Update to REvil ransomware changes Windows passwords to automate file encryption via Safe Mode

The ransomware changes the device password to “DTrump4ever” and forces the device to log in automatically after being rebooted.

Laptop computer with the system being locked by ransomware

Image: iStockphoto/Kritchanut

More about cybersecurity

The hackers behind the REvil ransomware have released an updated version of the malware that allows them to change Windows passwords and automate file encryption through Safe Mode, according to a recent report from Bleeping Computer. Researcher R3MRUN also released a detailed breakdown of the attack method on his Twitter account, highlighting that attackers can now use the command-line “smode” to essentially put a device into Safe Mode, allowing them to execute the encryption of the files on a device. 

SEE: Identity theft protection policy (TechRepublic Premium)

The ransomware then changes the device password to “DTrump4ever” and forces the device to log in automatically after being rebooted.

Bryan Embrey, director of product marketing at Zentry Security, explained that REvil uses three primary attack vectors to penetrate a network: phishing emails with malicious attachments, Remote Desktop Protocol vulnerabilities and software vulnerabilities.  

Brute force password attacks are typically used with RDP simply because people tend to use simple passwords that are easier to remember. Once in a network, REvil moves laterally to deploy ransomware on all resources for maximum effect,” Embrey said. 

Cybersecurity experts said the changes highlighted how the REvil group and others continue to update and change their ransomware tactics as companies try to prevent attacks. 

“REvil has been evolving its tactics since February 2020, adding DDoS attacks to its arsenal, cold calling victims, and now rebooting machines in Safe Mode. REvil’s new update of changing user passwords and automatically logging into a victim device differs from the previous need for a victim to login into their device after rebooting in Safe Mode,” said Jamie Hart, cyber threat intelligence analyst at Digital Shadows. 

“The update highlights the group’s effort to remain hidden and reduces the risk of red flags during encryption. In 2019, the Snatch ransomware group added the ability to encrypt a device in Safe Mode; it is realistically possible that REvil is implementing tactics that have been successful for other ransomware groups.” 

Hart added that some of the mitigation strategies for ransomware attacks include consistent patching and updating, stronger passwords, regular security awareness training as well as the 3-2-1 method, which involves storing your data across two storage locations and one cloud storage provider. 

Organizations in fear of a ransomware attack should also implement and consistently practice an event response plan that can assist in business continuity in a successful ransomware attack scenario. 

The people behind REvil recently launched a devastating attack on global laptop conglomerate Acer, demanding a record ransom of $50 million. 

Roger Grimes, data-driven defense evangelist at KnowBe4, said the tactics now being used by REvil are very common in the malware world. 

“If you allow any malware program or hacker to execute commands in ‘administrator’ context, it is always game over. It will always be game over. The only sure defense is to stop the initial execution of the malware,” Grimes said. 

According to GRIMM principal of software security Adam Nichols, the update gives the malware powerful new capabilities at evading protections.

“Cybercrime is a business, and everyone should think of it that way.” Niamh Muldoon, global data protection officer at OneLogin   

One potential solution suggested by Nichols is backing up files to an external thumb drive and removing it from the computer when not in use to ensure that a copy of the data is always available. 

Using Virtual Machines can also help limit the damage of numerous attacks, including REvil, Nichols explained, adding that using a virtual machine for browsing and storing important files outside of that virtual machine will prevent both data loss and stop criminals from obtaining your data in the event the virtual machine is infected with REvil or another ransomware.

But the latest update to the REvil ransomware makes troubleshooting and remediation quite difficult after the fact, Veridium CRO Rajiv Pimplaskar said in an email.

“In general, prevention is a lot easier than cure in such cases. That’s why organizations and end users should accelerate their adoption of passwordless technologies and use non-credential-based authentication methods like ‘phone as a token’ or FIDO2,” Pimplaskar said. 

“This mitigates both the chances of a ransomware infection in the first place, which can occur from the use of infected home computers, and also help eliminate the possibility of obtaining and using stolen credentials against end users and organizations even after the fact. Data shows that there has been a 72% rise in ransomware attacks over the past year which can be directly correlated to the increased use of home computers to perform remote work due to the COVID19 pandemic.”

Jerome Becquart, COO at Axiad, echoed those remarks highlighting that no matter how strong your users’ passwords are, having any password-based authentication can leave you open to ransomware attacks. 

“Cybercrime is a business, and everyone should think of it that way. By encrypting victims’ files and requesting financial payment, ransomware like REvil has one of the highest direct returns of investment,” said Niamh Muldoon, global data protection officer at OneLogin.   

“Taking the global economic environment and current market conditions into consideration, cyber criminals will of course continue to focus on their efforts on this revenue-generating stream. During 2021, we are also likely to see cyber criminal individuals and groups partner together to try and maximize their return of investment. This could include targeting high-value individuals and/or large enterprise organizations.”

Also see