The Sodinokibi (REvil) ransomware has developed a new trick to encrypt more of a victim’s files. Some applications, such as database or mail servers, will lock files they have opened so that other programs can’t modify them. This prevents a file from being corrupted if multiple processes are trying to modify the file at the same time. This also prevents ransomware from encrypting the file without shutting down the process first. Many ransomware variants try to shut down active processes but are not able to shut down all of them. The researchers at Intel471 have reported that the latest version of Sodinokibi now uses the Windows Restart Manager API to close processes or shut down Windows services that are keeping a file open, enabling the ransomware to encrypt even more files than was previously possible. The API was created by Microsoft to make software updates easier.
Analyst Notes
The use of this API does have small benefit for the victim: once a decrypter is released, it can also use the Windows Restart Manager API to access any locked files for decryption. The number one defense from any ransomware is to not be infected in the first place. The primary method of infection is still through unauthorized access of remote desktop connections and via phishing. Companies should provide their employees with education to recognize and report phishing emails to the IT security team, so they are not tricked into downloading malicious files or giving away their passwords. Organizations can also benefit from a third-party security service such as the Binary Defense Managed Detection and Response (MDR) that can monitor and defend endpoints from attacks, so that the malicious program can be stopped before it has a chance to do damage.
To read more: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-now-encrypt-open-and-locked-files/