Security News > 2021 > March > REvil ransomware has a new ‘Windows Safe Mode’ encryption mode
The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.
Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system.
In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device.
While REvil is encrypting files, the Safe Mode screen will be blank, but it is still possible to use Ctrl+Alt+Delete to launch the Windows Task Manager.
REvil's new Safe Mode operation is a bit strange as it requires users to log in to the device after they restart into Safe Mode.
In 2019, another ransomware known as 'Snatch' also added the ability to encrypt a device in Safe Mode using a Windows service.