The ransomware gang REvil introduced a special malware feature that allows attackers to reboot infected devices after encryption. REvil emerged in April 2019 and is also recognized by the names Sodinokibi and Sodin. The ransomware gang was linked to many important attacks, including attacks in May 2020 on popular law firm Grubman Shire Meiselas and Sacks and also an attack in April 2020 on Travelex, a London-based currency exchange that paid a $2.3 million ransom for recovering its data.
The MalwareHunter team researchers recently tweeted that the REvil operators have introduced two new command lines named 'AstraZeneca' and 'Franceisshit,' in Windows Safe Mode, which is utilized to reach the initialization screen for Windows devices.
"'AstraZeneca' is used to run the ransomware sample itself in the safe mode, and 'Franceisshit' is used to run a command in the safe mode to make the PC run in normal mode after the next reboot," team of MalwareHunter tweeted.
However it is not special, but the strategy is definitely uncommon, said the analysts. REvil implements this feature most likely as it will help the Ranking software to avoid detection by certain security devices because these functions allow attackers to encrypt the files in windows safe mode.
"Causing a Windows computer to reboot in safe mode can disable software, potentially even antivirus or anti-ransomware software, that is working to keep your computer safe," says Erich Kron, security awareness advocate at the security firm KnowBe4. "This would then allow the attackers to make changes that may otherwise not be allowed in normal running mode."
By tracking computers for unusual rebooting activities and by implementing successful data loss protection checks, organizations can deter malicious acts. Since REvil mainly uses compromised RDPs and mail phishing for distribution, it is essential for organizations, ideally through multi-factor authentication, to ensure that all Internet-accessible RDP instances are protected and that their employees are trained on high-quality security sensitives which can help them identify and track phishing attacks.
Lately, the gang allegedly attacked Taiwan PC maker ‘Acer’ in an on-site version of Microsoft Exchange server, exploiting the unpatched ProxyLogon defect.
The REvil Gang has gradually strengthened its malware and adapted various new methods of extortion. As of now, it frequently aims at bigger companies looking for significantly greater pay-outs, names, and shames via its devoted leak and targets cyber-insurance victims.