A cyber security researcher has analysed leading ransomware samples and found a simple trick to stop them from executing their file encryption process on targeted machines.
Vulnerable samples including Conti, REvil, AvosLocker, WannaCry, and LockBit were all tested and found to be vulnerable to dynamic link library (DLL) hijacking.
It means businesses concerned about ransomware attacks can deploy mitigation to help prevent future ransomware attacks launched with these specific strains that are vulnerable to DLL hijacking.
The security researcher, known by the handle hyp3rlinx, said the specially crafted hijacked DLL file can be placed in a location the user believes the ransomware is likely to embed itself in the environment, such as the C drive in Windows, and have it lay dormant until an infection is attempted.
The ransomware’s file encryption process should stop once it executes its infection DLL since the hijacked DLL will end all the malicious processes leaving just the decryption instructions in the file location.
“Conti looks for and executes DLLs in its current directory,” said hyp3rlinx in a published advisory. “Therefore, we can potentially hijack a vulnerable DLL execute our own code, control and terminate the malware pre-encryption.
“The exploit DLL will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware’s own vulnerability will do the work for us.”
The explanations of how the mitigation works are the same across the different leading ransomware strains, according to the researcher’s advisories.
It’s unclear what samples of the ransomware families the researcher used in their analysis, but it’s unlikely that all known strains will be vulnerable to DLL hijacking.
For example, experts have told IT Pro that multiple different strains of WannaCry ransomware have been observed in the wild since it infected swathes of computers worldwide almost five years ago, with some being modified to eliminate the ‘kill switch’ vulnerability.
The likes of Conti and REvil have also closed their operations, although the latter is rumoured to be making a return, the ransomware programs are still searchable on the dark web and can be distributed by cyber criminals, whether they are affiliated with the original gang or not.
This means the threat of these now-defunct ransomware strains is still present and the DLL hijacking vulnerability could serve businesses in the case of an attack.
DLL hijacking is a Windows-exclusive phenomenon and refers to how some Windows applications search and load DLL files.
DLL files are at the core of some applications’ functionality and can be seen as fragments of a program. They often come pre-loaded on a Windows machine, allowing other applications to use them to provide common functions like looking up domain names, so developers don’t have to code that functionality into their software each time.
By placing a hijacked DLL file in a location that falls within the search parameters of a vulnerable application, such as these vulnerable ransomware samples, defenders can hijack and terminate the encryption process.
“Malware or ransomware relies on a computational environment and has deep dependencies in code which also involves using Dynamic Link Libraries,” said Kevin Curran, IEEE senior member and professor of cyber security at Ulster University to IT Pro.
RELATED RESOURCE
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
“These DLLs are specific to certain operating systems, whilst others use a similar method of invoking external code to execute functionality. The motivation behind DLLs is rather clever, it acts as a way to minimise memory usage so applications can also share this critical code,” he added.
“Researchers have discovered that they can ‘hijack’ a DLL by placing a ‘benign’ code inside the DLL which is used by the ransomware to encrypt the data. This is the main objective of ransomware, to encrypt all valuable data on a device as the replaced DLL basically halts the critical encryption process.
“This will prove useful in the long run as the creators of the leading ransomware will undoubtedly overcome this new mitigation. It does, however, provide a glimpse of hope in that we can to the best of our abilities, continue to mitigate the damage and threat posed by ransomware attacks.”
Hyp3rlinx said the processes of installed security products like antivirus programs and endpoint protection solutions can potentially be killed by the ransomware’s payload upon execution but this mitigation will not impact such solutions since the DLL lies on the disk waiting.
A full list of the advisories relating to the vulnerable ransomware strains can be found below:
-
Cloudflare is cracking down on AI web scrapersNews Cloudflare CEO Matthew Prince said AI companies have been "scraping content without limits" - now the company is cracking down.
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
