The Sodinokibi (REvil) ransomware has developed a new trick to encrypt more of a victim’s files. Some applications, such as database or mail servers, will lock files they have opened so that other programs can’t modify them. This prevents a file from being corrupted if multiple processes are trying to modify the file at the same time. This also prevents ransomware from encrypting the file without shutting down the process first. Many ransomware variants try to shut down active processes but are not able to shut down all of them. The researchers at Intel471 have reported that the latest version of Sodinokibi now uses the Windows Restart Manager API to close processes or shut down Windows services that are keeping a file open, enabling the ransomware to encrypt even more files than was previously possible. The API was created by Microsoft to make software updates easier.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.