Sodinokibi ransomware uses MS API to encrypt open and locked files

Researchers warn of a new feature implemented in the Sodinokibi ransomware, the threat can now encrypt open and locked files.

The Sodinokibi ransomware (REvil) continues to evolve, operators implemented a new feature that allows the malware to encrypt victim’s files, even if they are opened and locked by another process.

Many applications lock files to prevent that they could be modified by two processes at the same time. Opened and locked files could no by encrypted by ransomware without first killing the process that locked the file.

For this reason, most of the ransomware shut down popular applications such as DBMS and mail servers that lock files.

Now experts from cybercrime intelligence firm Intel471, discovered a new variant of the Sodinokibi ransomware, namely version 2.2, that leverages the Windows Restart Manager API to close processes or shut down Windows services that locked a file to encrypt them.

“One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. If a process has an open file handle for a specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the Windows operating system (OS).” reads the analysis published by Intel471. “To circumvent this, the REvil developers have implemented a technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga”

The following portion of the ransomware code show the use of the Windows Restart Manager:

Microsoft implemented the Restart Manager API to eliminate or reduce the number of system restarts that are required to complete an installation or update. 

Other ransomware uses the same Microsoft API for the same purpose, including the infamous SamSam and LockerGoga malware.

“The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service.” states Microsoft’s API documentation. “The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete,”

The popular malware researcher Vitali Kremez noted that the REvil Decryptor v2.2 also leverages the Windows Restart Manager API to shut down any process that could prevent a file being decrypted.

Researchers also shared Indicators of Compromise (IoCs) for the new variant of the ransomware, version 2.2.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Sodinokibi ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]