Skip to main content

This researcher just beat ransomware gangs at their own game

A security researcher has discovered key flaws pertaining to popular ransomware and malware — a state of affairs that could lead to their creators entirely rethinking the approach to infiltrate potential victims.

Currently, among the most active ransomware-based groups are the likes of Conti, REvil, Black Basta, LockBit, and AvosLocker. However, as reported by Bleeping Computer, the malware developed by these cyber gangs has been found to come with crucial security vulnerabilities.

A digital depiction of a laptop being hacked by a hacker.
Digital Trends

These defects could very well prove to be a damaging revelation for the aforementioned groups — ultimately, such security holes can be targeted in order to prevent what the majority of ransomware is created for; the encryption of files contained within a system.

A security researcher, hyp3rlinx, who specializes in malware vulnerability research, examined the malware strains belonging to the leading ransomware groups. Interestingly, he said the samples were exposed to dynamic link library (DLL) hijacking, which is a method traditionally used by attackers themselves that targets programs via malicious code.

“DLL hijacking works on Windows systems only and exploits the way applications search for and load in memory the Dynamic Link Library (DLL) files they need,” Bleeping Computer explains. “A program with insufficient checks can load a DLL from a path outside its directory, elevating privileges or executing unwanted code.”

The exploits associated with the ransomware samples that were inspected by hyp3rlinx — all of which are derived from Conti, REvil, LockBit, Black Basta, LockiLocker, and AvosLocker — authorize code that can essentially “control and terminate the malware pre-encryption.”

Due to the discovery of these flaws, hyp3rlinx was able to design exploit code that is assembled into a DLL. From here, that code is assigned a certain name, thereby effectively tricking the malicious code into detecting it as its own. The final process involves loading said code so that it commences the process of encrypting the data.

Conveniently, the security researcher uploaded a video that shows how a DLL hijacking vulnerability is used (by ransomware group REvil) to put an end to the malware attack before it can even begin.

Conti Ransomware - Code Exec Vulnerability

The significance of the discovery of these exploits

As highlighted by Bleeping Computer, a typical area of a computer targeted by ransomware is a network location that can house sensitive data. Therefore, hyp3rlinx asserts that after the DLL exploit is loaded by placing that DLL in certain folders, the ransomware process should theoretically be stopped before it can inflict damage.

Malware is capable of evading security mitigation processes, but hyp3rlinx stresses that malicious code is completely ineffective when it faces DLLs.

That said, whether the researcher’s investigation results in long-lasting changes in preventing or at least reducing the impact of ransomware and malware attacks is another question entirely.

“If the samples are new, it is likely that the exploit will work only for a short time because ransomware gangs are quick to fix bugs, especially when they hit the public space,” Bleeping Computer said. “Even if these findings prove to be viable for a while longer, companies targeted by ransomware gangs still run the risk of having important files stolen and leaked, as exfiltration to pressure the victim into paying a ransom is part of this threat actor’s modus operandi.”

Still, the cybersecurity website added that hyp3rlinx’s exploits “could prove useful at least to prevent operational disruption, which can cause significant damage.”

As such, although it’s likely to be patched soon by ransomware groups in the immediate future, finding these exploits is an encouraging first step toward impacting the development and distribution of dangerous code. It may also lead to more advanced mitigation methods to prevent attacks.

Ransomware groups do not consist of your average hackers. Creating and spreading effective malware is a sophisticated task in and of itself, and the financial windfall from a successful attack can generate hundreds of millions of dollars for the perpetrators. A considerable portion of those ill-gotten gains is extracted from innocent individuals.

Editors' Recommendations

Zak Islam
Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Experts fear ChatGPT will soon be used in devastating cyberattacks
The ChatGPT name next to an OpenAI logo on a black and white background.

ChatGPT has taken the world by storm in recent months, but just as it has amazed people with its technical capabilities, concerns have also been raised over its potential misuse. Now, it seems some IT leaders are worried it will soon be used in major cyberattacks, with the potential to cause devastation in the future.

In a survey of 1,500 IT and cybersecurity professionals conducted by BlackBerry, 51% of respondents believed that ChatGPT will be responsible for a successful cyberattack in the next 12 months. As much as 78% feel that attack will happen within two years, while a handful think it could happen within the next few months.

Read more
Hackers sink to new low by stealing Discord accounts in ransomware attacks
a faceless hacker in a black hoodie in front of a computer screen with lines of code on it

As if ransomware wasn’t terrifying enough already, hackers are now trying to hold your Discord account hostage, as well as your files. Thankfully, you can grab your Discord back if you act quickly enough.
This new ransomware campaign was recently discovered by leading cybersecurity firm Cyble, and it’s a particularly nasty one. A wave of similar attacks is emerging, including AXLocker, Octocrypt, and Alice. Ransomware encrypts files on the infected computer before demanding that you pay to decrypt your files to regain access.

Something uniquely cruel about AXLocker is that it also copies your Discord token and sends it to the hacker's server, giving them an opportunity to access and steal your Discord account. The malware is sneaky and leaves file names and extensions intact as it encrypts files so you might not notice anything is wrong until you see the ransom note.

Read more
Hackers are infiltrating news websites to spread malware
A black fedora rests on top of newspapers infected with spreading green lines..

Some alarming news broke today that hundreds of U.S. news websites are unwittingly playing a big role in a new malware campaign that's disguised as a Chrome browser update. This is quite a devious attack method since it's considered an important security practice to update your browser as soon as possible.

The way hackers are delivering the malware is also clever. It’s coming via an advertising network that also supplies video content to newspaper websites across the nation. It’s difficult to identify and shut down this attack because it is applied intermittently. According to a tweet by the security research team Threat Insight, the JavaScript code is being changed back and forth from the normal harmless ad delivery script to the one that includes the hacker code that shows a false update alert.

Read more