New versions of the Sodinokibi (also commonly known as REvil) ransomware were found last month with functionality for rebooting an infected workstation into Safe Mode. This was widely believed to be for the purpose of having the chance at running without typical anti-virus or endpoint detection (EDR) software running to detect the malicious activity. This new feature relied on the ransomware being run with the “-smode” command-line option being passed when launched and for the victim to type in their credentials once the infected workstation rebooted. Now BleepingComputer reports that further updated samples have been found, adding to this functionality. New versions of the ransomware now have the ability to change the currently logged in user’s password and set the user to automatically log in. Although the authors behind the ransomware may change this at any time, the victim’s password is currently being set to “DTrump4ever” without the quotes. By doing this, the workstation is effectively forced to reboot in a mode without protection and would begin encrypting files without user-interaction.
Binary Defense highly recommends that all organizations follow guidance in the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information for small and large businesses alike, describing how to backup and protect data, creating incident response plans and more.