Proofpoint cybersecurity experts: Groups from India, Russia and China exploit this technique. The files have low detection rate by public antivirus.
The cybersecurity expert MalwareHunterTeam discovered that the ransomware REvil now can encrypt files in Windows Safe Mode. He found a malware sample with a command-line, which forces the computer to reboot before encrypting
REvil now can encrypt files in Windows Safe Mode. It has been discovered by the cybersecurity expert MalwareHunterTeam (MHT). According to Bleeping Computer, this new feature of the ransomware aims likely to evade detection by security software and for greater success when encrypting files. Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system. This mode only loads the bare minimum of software and drivers required for the operating system to work. Furthermore, any programs installed in Windows that are configured to start automatically will not start in Safe Mode unless their autorun is configured a certain way. MHT discovered in a new sample of the cybercrime malware a smode command-line argument, which forces the computer to reboot into Safe Mode before encrypting a device. Furthermore, the user can’t interrupt this process.