Proofpoint cybersecurity experts: Groups from India, Russia and China exploit this technique. The files have low detection rate by public antivirus.
Bleeping Computer: REvil evolves again, now changes password to auto-login in Safe Mode. The ransomware automates file encryption via Safe Mode with the “DTrump4ever” password, as the sample discovered by R3MRUM
REvil (aka Sodinokibi) is evolving again: now it automates file encryption via Safe Mode after changing Windows passwords. Bleeping Computer denounces it. In March, cybercrime actors added the Windows Safe Mode encryption mode to the ransomware. It can be enabled using the -smode command-line argument, which would reboot the device into Safe Mode, where it would perform the encryption of files. At the end of the last month, a new malware’s sample was discovered by the cybersecurity researcher R3MRUM. It refines the Safe Mode encryption method by changing the logged-on user’s password and configuring Windows to automatically login on reboot. When the -smode argument is used, in fact, the ransomware will change the user’s password to “DTrump4ever.” The ransomware then configures the following Registry values so that Windows will automatically login with the new account information. Moreover, at least two samples uploaded to VirusTotal in the past days use it.