Sodinokibi ransomware, also known as REvil group has now upgraded to encrypt even the locked files. This was seen by Intel471 researchers in Sodinokibi’s new update, version 2.2, where the ransomware leverages Windows Restart Manager API to shut down Windows services that lock files during this encryption.
Updated Version 2.2
Sodinokibi ransomware is a Ransomware-as-a-Service (RaaS), that’s being kept and developed by a group of creators and sold to other hackers. And making this more effective, the authors have added a new feature to this ransomware where it can now lock even the locked files of victim’s system too. This is done through using the Windows Restart Manager API.
Windows Restart Manager is Microsoft’s function for easing the software update installation. This is done by reducing, or even eliminating the number of times system restarts to complete the update installation. This process shuts down all the unnecessary running programs while restarting. This is now used by attackers to shut down Windows services like database or mail servers, which locks some files during the process and keep them open for encrypting.
Further, it’s also being used for easy decryption. This closure makes it easy for the victim to decrypt locked files, from the decryptor provided by ransomware authors after paying the ransom. Sodinokibi isn’t the first gang using this feature, ransomware groups like SamSam and LockerGoga have also been leveraging Window’s Restart Manager API to lock even more files than possible.
This was first reported by cybersecurity firm Intel471 and later confirmed by the researcher, Vitali Kremez. It’s wondering how ransomware gangs are using legitimate features to exploit the system even further and steal more files. If not using this service, Windows services would’ve locked some files from executing dual programs at a time, thus barring ransomware to steal or encrypt files.