The REvil Ransomware recently received an update that effectively allows malicious hackers to change Windows passwords, as well as automate a system’s file encryption via Safe Mode directly after that.
According to Bleeping Computer, the update was reportedly added in an effort to help these actors evade detection and to shut off backup software and database servers when encrypting the target’s files. Breaking down the update further, the new REvil ransomware reportedly changes the user’s password to “DTrump4ever” when the -smode argument is used.
As dastardly as this ransomware is, the silver lining in all this is that the affected person would still need to manually log in to Windows Safe Mode before the encryption can occur, and that alone could tip off the victim to the ransomware’s actions.
🆕 #REvil v2.05
-smode switch configures OS to boot into safe mode w/ networking via:
(pre-Vista) bootcfg /raw /a /safeboot:network /id 1
or
(Vista+) bcdedit /set {current} safeboot networkconfigures auto-lognn via WinLogon 🔑 w/ 'DTrump4ever' password
— R3MRUM (@R3MRUM) March 26, 2021
Of course, it should surprise no one that this isn’t the first time REvil has been cast into the spotlight. Last month, the hacker collective claimed responsibility for attacking the Taiwanese tech brand, Acer, and holding their servers hostage to the tune of US$50 million (~RM206 million).
In addition to the attack, the group also warned victims that it would not think twice about launching DDoS attacks on them or email their business partners about their activities. Should they choose not to pay the ransom.
(Source: TechRepublic, Bleeping Computer // Image: Bleeping Computer)
