Security News > 2021 > April > Update to REvil ransomware changes Windows passwords to automate file encryption via Safe Mode
The hackers behind the REvil ransomware have released an updated version of the malware that allows them to change Windows passwords and automate file encryption through Safe Mode, according to a recent report from Bleeping Computer.
"Brute force password attacks are typically used with RDP simply because people tend to use simple passwords that are easier to remember. Once in a network, REvil moves laterally to deploy ransomware on all resources for maximum effect," Embrey said.
Cybersecurity experts said the changes highlighted how the REvil group and others continue to update and change their ransomware tactics as companies try to prevent attacks.
"REvil has been evolving its tactics since February 2020, adding DDoS attacks to its arsenal, cold calling victims, and now rebooting machines in Safe Mode. REvil's new update of changing user passwords and automatically logging into a victim device differs from the previous need for a victim to login into their device after rebooting in Safe Mode," said Jamie Hart, cyber threat intelligence analyst at Digital Shadows.
"The update highlights the group's effort to remain hidden and reduces the risk of red flags during encryption. In 2019, the Snatch ransomware group added the ability to encrypt a device in Safe Mode; it is realistically possible that REvil is implementing tactics that have been successful for other ransomware groups."
The latest update to the REvil ransomware makes troubleshooting and remediation quite difficult after the fact, Veridium CRO Rajiv Pimplaskar said in an email.