The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim’s login password in order to reboot the computer into Windows Safe Mode.
While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.
Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user’s password to ‘DTrump4ever’ if the -smode statement is used.
Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever’ password, but at least two samples submitted to VirusTotal in the last two days have done so.
This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users’ devices and demand a ransom payment.
Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files.
Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.
REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.