The REvil group have added a new weapon to their ransomware arsenal. Researchers have discovered that REvil has upgraded its malware so as to be able to encrypt files in Windows Safe Mode. This was probably done to evade detection from security software and ensure greater success in the encryption process.
What is Windows Safe Mode?
Windows loads in Safe Mode when there is a system critical problem that interferes with the normal operation of Windows. Administrators may also choose to reboot a computer into Safe Mode to run administrative and diagnostic tasks. It is normally used to troubleshoot Windows problems and try and to determine what is stopping it from functioning properly.
In Safe Mode, Windows only loads essential software and drivers the operating system needs to run. Importantly for REvil, any programs installed in Windows to start automatically, such as antivirus software, will not run in Safe Mode.
REvil’s New Tactic
Security researchers at MalwareHunterTeam tweeted recently that the REvil ransomware group’s malware can now reboot Windows machines into Safe Mode. The malware forces compromised devices to reboot into Safe Mode before encrypting them.
To achieve this REvil has added two new command lines to its ransomware, namely AstraZeneca and Franceisshit. “‘AstraZeneca’ is used to run the ransomware sample itself in the safe mode, and ‘Franceisshit’ is used to run a command in the safe mode to make the PC run in normal mode after the next reboot,” the MalwareHunterTeam explained.
REvil remotely reboots devices into Windows Safe Mode but needs users to login to Windows for the ransomware to run. Once the user logs in, the encryption of files begins. While the ransomware runs, the user is unable to launch any other programs until it has finished encrypting the device. When it has finished, the device automatically reboots back into normal mode. However, the device will show a ransom note on the desktop and encrypted files.
Safe Mode Encryption Tactic Unusual
Cybersecurity experts speculate that REvil reboots compromised devices into Safe Mode to evade detection by antivirus and other security software. Furthermore, Erich Kron from the security firm KnowBe4 explains that “Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe. This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode.”
However, REvil is not the first ransomware group to use such tactics. A Snatch ransomware variant used Safe Mode back in 2019. Nonetheless, experts find REvil’s use quite perplexing, as it relies on users login into devices after the group restarts them in Safe Mode.
Furthermore, reportedly a blank screen appears once users log into Windows. And the devices’ hard drives can be heard working hard as they are being encrypted. Consequently, users would be alerted that something is not quite right and may shutdown devices, stopping the encryption process.
Interestingly, a REvil group member has reportedly stated in an interview that the group particularly targets firms with ransomware insurance. This is because REvil believes that firms with insurance, like Deep Instinct, are more likely to pay than firms without.
The group member also stated that to get the list of firms that hold such insurances, REvil hacks insurance companies. He described such attacks as the “tastiest morsels”. “Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves,” he said.
Insurance companies have indeed been attacked in the past. For example, Chubb Insurance was allegedly attacked by the Maze ransomware group last year.