Researcher discovers simple tweak that neutralises Conti, REvil, WannaCry attacks

Ransomware on a red screen
(Image credit: Shutterstock)

A cyber security researcher has analysed leading ransomware samples and found a simple trick to stop them from executing their file encryption process on targeted machines.

Vulnerable samples including Conti, REvil, AvosLocker, WannaCry, and LockBit were all tested and found to be vulnerable to dynamic link library (DLL) hijacking.

It means businesses concerned about ransomware attacks can deploy mitigation to help prevent future ransomware attacks launched with these specific strains that are vulnerable to DLL hijacking.

The security researcher, known by the handle hyp3rlinx, said the specially crafted hijacked DLL file can be placed in a location the user believes the ransomware is likely to embed itself in the environment, such as the C drive in Windows, and have it lay dormant until an infection is attempted.

The ransomware’s file encryption process should stop once it executes its infection DLL since the hijacked DLL will end all the malicious processes leaving just the decryption instructions in the file location.

“Conti looks for and executes DLLs in its current directory,” said hyp3rlinx in a published advisory. “Therefore, we can potentially hijack a vulnerable DLL execute our own code, control and terminate the malware pre-encryption.

“The exploit DLL will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware’s own vulnerability will do the work for us.”

The explanations of how the mitigation works are the same across the different leading ransomware strains, according to the researcher’s advisories.

It’s unclear what samples of the ransomware families the researcher used in their analysis, but it’s unlikely that all known strains will be vulnerable to DLL hijacking.

For example, experts have told IT Pro that multiple different strains of WannaCry ransomware have been observed in the wild since it infected swathes of computers worldwide almost five years ago, with some being modified to eliminate the ‘kill switch’ vulnerability.

The likes of Conti and REvil have also closed their operations, although the latter is rumoured to be making a return, the ransomware programs are still searchable on the dark web and can be distributed by cyber criminals, whether they are affiliated with the original gang or not.

This means the threat of these now-defunct ransomware strains is still present and the DLL hijacking vulnerability could serve businesses in the case of an attack.

DLL hijacking is a Windows-exclusive phenomenon and refers to how some Windows applications search and load DLL files.

DLL files are at the core of some applications’ functionality and can be seen as fragments of a program. They often come pre-loaded on a Windows machine, allowing other applications to use them to provide common functions like looking up domain names, so developers don’t have to code that functionality into their software each time.

By placing a hijacked DLL file in a location that falls within the search parameters of a vulnerable application, such as these vulnerable ransomware samples, defenders can hijack and terminate the encryption process.

“Malware or ransomware relies on a computational environment and has deep dependencies in code which also involves using Dynamic Link Libraries,” said Kevin Curran, IEEE senior member and professor of cyber security at Ulster University to IT Pro.


Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats


“These DLLs are specific to certain operating systems, whilst others use a similar method of invoking external code to execute functionality. The motivation behind DLLs is rather clever, it acts as a way to minimise memory usage so applications can also share this critical code,” he added.

“Researchers have discovered that they can ‘hijack’ a DLL by placing a ‘benign’ code inside the DLL which is used by the ransomware to encrypt the data. This is the main objective of ransomware, to encrypt all valuable data on a device as the replaced DLL basically halts the critical encryption process.

“This will prove useful in the long run as the creators of the leading ransomware will undoubtedly overcome this new mitigation. It does, however, provide a glimpse of hope in that we can to the best of our abilities, continue to mitigate the damage and threat posed by ransomware attacks.”

Hyp3rlinx said the processes of installed security products like antivirus programs and endpoint protection solutions can potentially be killed by the ransomware’s payload upon execution but this mitigation will not impact such solutions since the DLL lies on the disk waiting.

A full list of the advisories relating to the vulnerable ransomware strains can be found below:

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.