Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

The REvil ransomware has a vulnerability that can be exploited to deactivate the malware before it encrypts files on an infected computer, a security researcher has found.

John Page (hyp3rlinx), who runs malware vulnerability tracker website Malvuln.com, discovered that REvil searches for and executes DLLs in the directory where it is located. By hijacking a vulnerable DLL and executing specially crafted code, he could stop and terminate REvil before it started encrypting files.

“We do not need to rely on hash signatures or third-party products, the malwares [sic] flaw does the work for us,” Page wrote. With this technique, REvil will be stopped in its tracks even if it manages to kill anti-malware solutions before executing its payload.

Page posted a proof-of-concept video (see below) that shows how the vulnerability can be exploited.

Users can add the DLL to directories and network shares as an added layer of defense.

“Ransomware attacks targeting our companies and infrastructure have been never-ending, therefore I took an offensive versus defensive approach and tried to apply an exploit countermeasure and it worked,” Page told The Daily Swig.

‘Huge percentage vulnerable’

Page has found that Conti, Lockbit, and other widely used strains of ransomware have similar vulnerabilities. Other types of malware are vulnerable too.

“A huge percentage of malware are vulnerable to this exploit class as I noticed after analyzing thousands of malware,” he said.

Page stressed that this technique is not a replacement for good old endpoint solutions and should be considered a complementary layer of defense.

“The solutions to date are very different (e.g., signature detections or defenses like backing up data) and are still valid,” Page said. “Intercepting and exploiting ransomware using this common issue can be a thought of as another layer of defense.”

‘Thorn in their side’

Page acknowledged that ransomware developers can patch their malware against the exploit, but that the victory in the fight against cybercrime is not to be underestimated.

“They will adapt, he said. “But if we can force them to refactor their code and or change their build process it can be an annoying thorn in their side and raise the bar. And remember, older strains are still affected.”

Darren Williams, CEO and founder of cybersecurity firm BlackFog, told The Daily Swig that while the code can successfully stop REvil attacks, it requires a sophisticated deployment strategy from an organizational perspective.

“In viewing the very real threat of REvil, organizations must look at an approach that is easy to maneuver, adaptable, and provides seamless integration to proactively fight these threats,” he said. “For these at-risk organizations, as we have often seen, vulnerabilities must be evaluated on a constant basis to ensure proper protocols are in place well in advance.”

The REvil ransomware gang may have resurfaced following a long period of inactivity, according to analysis of new ransomware samples by researchers from Secureworks. Russian authorities arrested 14 alleged members of the group in January of this year, while websites associated with REvil mysteriously disappeared in July 2021.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/researcher-stops-revil-ransomware-in-its-tracks-with-dll-hijacking-exploit

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A cybersecurity advisory issued Wednesday said that a major ransomware group had successfully exploited a previously unknown vulnerability in Progress Software’s MOVEit software. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO