[BreachExchange] Sodinokibi ransomware can now encrypt open and locked files

Destry Winant destry at riskbasedsecurity.com
Tue May 12 10:07:56 EDT 2020


https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-now-encrypt-open-and-locked-files/

 The Sodinokibi (REvil) ransomware has added a new feature that allows
it to encrypt more of a victim's files, even those that are opened and
locked by another process.

Some applications, such as database or mail servers, will lock files
that they have open so that other programs cannot modify them. These
file locks prevent the data from being corrupted by two processes
writing to a file at the same time.

When a file is locked, this also prevents ransomware applications from
encrypting them without first shutting down the process that locked
the file.

For this reason, many ransomware infections will attempt to shut down
database servers, mail servers, and other applications that perform
file locking before encrypting a computer.

Sodinokibi now automatically terminates processes locking a file

While many ransomware attempts to shut down the most common
applications that are known to lock files, they are not going to be
able to shut down everyone.

In a new report by cybercrime intelligence firm Intel471, researchers
have spotted that Sodinokibi is now using the Windows Restart Manager
API to close processes or shut down Windows services keeping a file
open during encryption.

This API was created by Microsoft to make it easier to install
software updates without performing a restart to free files that the
updates need to replace.

"The Restart Manager API can eliminate or reduce the number of system
restarts that are required to complete an installation or update. The
primary reason software updates require a system restart during an
installation or update is that some of the files that are being
updated are currently being used by a running application or service.
The Restart Manager enables all but the critical system services to be
shut down and restarted. This frees files that are in use and allows
installation operations to complete," Microsoft explains in their API
documentation.

In addition to using the API while encrypting files, the ransomware
developers are also using it in their decryptor.

Sodinokibi Decryptor

As noted by security researcher Vitali Kremez, in REvil Decryptor
v2.2, shown above, the Windows Restart Manager API is being used to
make sure no processes are keeping a file open when the decryptor
tries to decrypt it.

Windows Restart Manager API used in the decryptor

Sodinokibi/REvil is not the first ransomware families to utilize this
API in their malware as both SamsSam and LockerGoga use it as well.

Unfortunately, the use of this API by ransomware infections has both a
downside and a benefit.

Victims will have an easier time decrypting files after paying a
ransom, but Sodinokibi will now be able to encrypt more files,
especially critical ones.


More information about the BreachExchange mailing list