Sodinokibi ransomware has got even nastier
A new feature has been added to the Sodinokibi ransomware that allows it to encrypt even more of a victim’s files including those that are opened and locked by another process.
Databases, mail servers and some other applications will lock files that they have open to prevent other programs from modifying them. By locking these files, the programs prevent the data they contain from being corrupted as a result of two processes writing to a file at the same time.
Ransomware applications are also unable to encrypt locked files without first shutting down the process that locked them in the first place. For this reason, ransomware will try to shut down database servers, mail servers and other applications that have the ability to lock files before encrypting a computer.
Version 2.2 of the Sodinokibi ransomware now contains a feature that allows it to use the Windows Restart Manager API to close processes or shut down Windows services which keep files open during encryption.
Sodinokibi revamped
The cybercrime intelligence firm Intel471 provided more details on how the Sodinokibi (REvil) ransomware is using the Windows Restart Manager to encrypt even more files in a new report, saying:
“One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. If a process has an open file handle for a specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the Windows operating system (OS). To circumvent this, the REvil developers have implemented a technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga.”
The Windows Restart Manager API was originally created by Microsoft in order to allow Windows PCs to easily install software updates without first performing a restart in order to free files that the update will replace.
Now that Sodinokibi is using the software giant’s API, victims will be able to more easily decrepit files after paying a ransom but more of their files will end up being encrypted by the ransomware.
Via BleepingComputer
A new feature has been added to the Sodinokibi ransomware that allows it to encrypt even more of a victim’s files including those that are opened and locked by another process. Databases, mail servers and some other applications will lock files that they have open to prevent other programs from…
Recent Posts
- Apple’s earnings show that, yeah, it’s really time for some new iPads
- Spotify Supremium leak reveals what the new tier and some features may look like at launch
- When notifications remind us of things we’d rather forget
- Can Steam Deck get even better? Nvidia’s expanded GeForce NOW support is a resounding yes
- Surprisingly cheap Pro monitor provides unique features that even Apple Studio display doesn’t — AOC’s new monitors offer KVM capability, a whopping 11 ports and Hollywood-grade Calman software compatibility
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011