Conti, Lockbit, and other prolific ransomware strains apparently have similar vulnerabilities

Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

The REvil ransomware has a vulnerability that can be exploited to deactivate the malware before it encrypts files on an infected computer, a security researcher has found.

John Page (hyp3rlinx), who runs malware vulnerability tracker website, discovered that REvil searches for and executes DLLs in the directory where it is located. By hijacking a vulnerable DLL and executing specially crafted code, he could stop and terminate REvil before it started encrypting files.

“We do not need to rely on hash signatures or third-party products, the malwares [sic] flaw does the work for us,” Page wrote. With this technique, REvil will be stopped in its tracks even if it manages to kill anti-malware solutions before executing its payload.

Page posted a proof-of-concept video (see below) that shows how the vulnerability can be exploited.

Users can add the DLL to directories and network shares as an added layer of defense.

“Ransomware attacks targeting our companies and infrastructure have been never-ending, therefore I took an offensive versus defensive approach and tried to apply an exploit countermeasure and it worked,” Page told The Daily Swig.

‘Huge percentage vulnerable’

Page has found that Conti, Lockbit, and other widely used strains of ransomware have similar vulnerabilities. Other types of malware are vulnerable too.

“A huge percentage of malware are vulnerable to this exploit class as I noticed after analyzing thousands of malware,” he said.

Read more of the latest ransomware news and attacks

Page stressed that this technique is not a replacement for good old endpoint solutions and should be considered a complementary layer of defense.

“The solutions to date are very different (e.g., signature detections or defenses like backing up data) and are still valid,” Page said. “Intercepting and exploiting ransomware using this common issue can be a thought of as another layer of defense.”

‘Thorn in their side’

Page acknowledged that ransomware developers can patch their malware against the exploit, but that the victory in the fight against cybercrime is not to be underestimated.

“They will adapt, he said. “But if we can force them to refactor their code and or change their build process it can be an annoying thorn in their side and raise the bar. And remember, older strains are still affected.”

Darren Williams, CEO and founder of cybersecurity firm BlackFog, told The Daily Swig that while the code can successfully stop REvil attacks, it requires a sophisticated deployment strategy from an organizational perspective.

“In viewing the very real threat of REvil, organizations must look at an approach that is easy to maneuver, adaptable, and provides seamless integration to proactively fight these threats,” he said. “For these at-risk organizations, as we have often seen, vulnerabilities must be evaluated on a constant basis to ensure proper protocols are in place well in advance.”

The REvil ransomware gang may have resurfaced following a long period of inactivity, according to analysis of new ransomware samples by researchers from Secureworks. Russian authorities arrested 14 alleged members of the group in January of this year, while websites associated with REvil mysteriously disappeared in July 2021.

RECOMMENDED CyberUK 2022: Global power conflicts creating ‘balkinization’ of cybersecurity tech