New versions of the Sodinokibi (also commonly known as REvil) ransomware were found last month with functionality for rebooting an infected workstation into Safe Mode. This was widely believed to be for the purpose of having the chance at running without typical anti-virus or endpoint detection (EDR) software running to detect the malicious activity. This new feature relied on the ransomware being run with the “-smode” command-line option being passed when launched and for the victim to type in their credentials once the infected workstation rebooted. Now BleepingComputer reports that further updated samples have been found, adding to this functionality. New versions of the ransomware now have the ability to change the currently logged in user’s password and set the user to automatically log in. Although the authors behind the ransomware may change this at any time, the victim’s password is currently being set to “DTrump4ever” without the quotes. By doing this, the workstation is effectively forced to reboot in a mode without protection and would begin encrypting files without user-interaction.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is