Popular ransomware bugs allow blocking encryption

Hackers are known to exploit vulnerabilities to gain access to databases and companies’ files. This time though, a researcher has found a bug in ransomware that allows to prevent encryption.

The “popular” ransomware, like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.

Malware researcher Malvuln (aka hyp3rlinx) has published on May 2 a video, that demonstrates that ransomware samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.

proof of concept of DLL hijacking shared by hyp3rlinx on YouTube

DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need.

A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.

For vulnerable ransomware samples from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker, the researcher says that their exploit allows executing code to “control and terminate the malware pre-encryption.”

To leverage the vulnerabilities in the malware from the above gangs, the researcher created exploit code that needs to be compiled into a DLL with a specific name so that the malicious code recognizes as its own and loads it to start encrypting the data.

It is unclear if the ransomware samples used for research are the latest, however, we believe it to be a great finding.

UPD: you can learn more about Malvuln project by John Page (aka hyp3rlinx) on his GitHub account.

Comments are closed.