Sodinokibi ransomware uses MS API to encrypt open and locked files

Researchers warn of a new feature implemented in the Sodinokibi ransomware, the threat can now encrypt open and locked files.

The Sodinokibi ransomware (REvil) continues to evolve, operators implemented a new feature that allows the malware to encrypt victim’s files, even if they are opened and locked by another process.

Many applications lock files to prevent that they could be modified by two processes at the same time. Opened and locked files could no by encrypted by ransomware without first killing the process that locked the file.

For this reason, most of the ransomware shut down popular applications such as DBMS and mail servers that lock files.

Now experts from cybercrime intelligence firm Intel471, discovered a new variant of the Sodinokibi ransomware, namely version 2.2, that leverages the Windows Restart Manager API to close processes or shut down Windows services that locked a file to encrypt them.

“One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. If a process has an open file handle for a specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the Windows operating system (OS).” reads the analysis published by Intel471. “To circumvent this, the REvil developers have implemented a technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga”

The following portion of the ransomware code show the use of the Windows Restart Manager:

Microsoft implemented the Restart Manager API to eliminate or reduce the number of system restarts that are required to complete an installation or update.

Other ransomware uses the same Microsoft API for the same purpose, including the infamous SamSam and LockerGoga malware.

“The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service.” states Microsoft’s API documentation. “The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete,”

The popular malware researcher Vitali Kremez noted that the REvil Decryptor v2.2 also leverages the Windows Restart Manager API to shut down any process that could prevent a file being decrypted.

Researchers also shared Indicators of Compromise (IoCs) for the new variant of the ransomware, version 2.2.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Sodinokibi ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.