Security News > 2021 > March > REvil ransomware has a new ‘Windows Safe Mode’ encryption mode

The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.
Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system.
In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device.
While REvil is encrypting files, the Safe Mode screen will be blank, but it is still possible to use Ctrl+Alt+Delete to launch the Windows Task Manager.
REvil's new Safe Mode operation is a bit strange as it requires users to log in to the device after they restart into Safe Mode.
In 2019, another ransomware known as 'Snatch' also added the ability to encrypt a device in Safe Mode using a Windows service.
News URL
Related news
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- New Akira ransomware decryptor cracks encryptions keys using GPUs (source)
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
- VanHelsing ransomware emerges to put a stake through your Windows heart (source)