A security researcher has uncovered key flaws related to popular ransomware and malware – a state of affairs that could lead their creators to completely rethink the approach to infiltrating potential victims.
Currently, among the most active ransomware-based groups are the likes of Conti, REvil, Black Basta, LockBit and AvosLocker. However, how reported by Bleeping Computerthe malware developed by these cyber gangs has been found to come with crucial security vulnerabilities.
These flaws could very well prove to be a damaging revelation for the aforementioned groups – after all, such security holes can be targeted to prevent what most ransomware is created for; the encryption of files contained within a system.
A security researcher, hyp3rlinx, which specializes in malware vulnerability research, examined the malware strains belonging to the main ransomware groups. Interestingly, he said the samples were exposed to dynamic link library (DLL) hijacking, which is a method traditionally used by attackers themselves that targets programs with malicious code.
“DLL hacking only works on Windows systems and exploits the way applications search and load into memory the Dynamic Link Library (DLL) files they need,” explains Bleeping Computer. “A program with insufficient controls can load a DLL from a path outside its directory, lifting privileges or executing unwanted code.”
The achievements associated with the ransomware samples that were inspected by hyp3rlinx – all of which are derived from Conti, REvil, LockBit, Black Basta, LockiLocker and AvosLocker – allow code that can essentially “check and stop malware pre-encryption.”
Due to the discovery of these flaws, hyp3rlinx was able to design an exploit code that is assembled into a DLL. From here, this code gets a certain name, thus effectively tricking the malicious code into detecting it as its own. The final process involves loading that code to begin the process of encrypting the data.
Conveniently, the security researcher uploaded video this shows how DLL hijacking vulnerability is used (by ransomware group REvil) to stop the malware attack before it can even start.
The significance of the discovery of these feats
As highlighted by Bleeping Computer, a typical area of a computer targeted by ransomware is a web site that may contain sensitive data. Therefore, hyp3rlinx claims that once the DLL blast is loaded by placing that DLL in certain folders, the ransomware process should theoretically be stopped before it can cause damage.
Malware is able to avoid security mitigation processes, but hyp3rlinx emphasizes that malicious code is completely ineffective when it comes to DLLs.
That said, whether the researcher’s research results in long-term changes in prevention or at least reduce the incidence of ransomware and malware attacks is another question.
“If the samples are new, the exploitation is likely to only work for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space,” Bleeping Computer said. “Even if these findings prove to be feasible for some time to come, companies targeted by ransomware gangs still risk having important files stolen and leaked, as filtering out to pressure the victim to pay a ransom is part of the modus operandi of this threat actor. . ”
However, the cybersecurity website added that hyp3rlinx’s achievements “could prove useful at least in preventing a disruptive operation that could cause serious damage.”
As such, although it is likely to be patched up soon by ransomware groups in the near future, finding these exploits is an encouraging first step in influencing the development and distribution of malicious code. It can also lead to more advanced mitigation methods to prevent attacks.
Ransomware groups do not consist of your average hackers. Creating and spreading effective malware is a complex task in itself, and the financial benefit of a successful attack can generate hundreds of millions of dollars for the perpetrators. A considerable portion of these ill-gotten gains is extracted from innocent individuals.