{"id":46481,"date":"2022-05-04T15:05:40","date_gmt":"2022-05-04T15:05:40","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/33408\/Vulnerabilities-Allow-Hijacking-Of-Most-Ransomware-To-Prevent-File-Encryption.html"},"modified":"2022-05-04T15:05:40","modified_gmt":"2022-05-04T15:05:40","slug":"vulnerabilities-allow-hijacking-of-most-ransomware-to-prevent-file-encryption","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-allow-hijacking-of-most-ransomware-to-prevent-file-encryption\/","title":{"rendered":"Vulnerabilities Allow Hijacking Of Most Ransomware To Prevent File Encryption"},"content":{"rendered":"

A researcher has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems.<\/span><\/span><\/strong><\/p>\n

Researcher John Page (aka hyp3rlinx) has been running a project called Malvuln<\/a>, which catalogs vulnerabilities found in various pieces of malware.<\/span><\/span><\/span><\/span><\/p>\n

The Malvuln project was launched in early 2021. SecurityWeek wrote about it<\/a> in January 2021, when it only had two dozen entries, and again in June 2021, when it had reached 260 entries<\/a>. As of May 4, 2022, Malvuln has cataloged nearly 600 malware vulnerabilities.<\/span><\/span><\/span><\/span><\/p>\n

In the first days of May, Page added 10 new entries describing vulnerabilities found in the Conti, REvil, Loki Locker, Black Basta<\/a>, AvosLocker, LockBit, and WannaCry ransomware families.<\/span><\/span><\/span><\/span><\/p>\n

The researcher found that these and likely other ransomware families are affected by DLL hijacking vulnerabilities. These types of flaws can typically be exploited for arbitrary code execution and privilege escalation by placing a specially crafted file in a location where it would get executed before the legitimate DLL.<\/span><\/span><\/span><\/span><\/p>\n

In the case of ransomware, an \u201cattacker\u201d can create a DLL file with the same name as a DLL that is searched for and ultimately loaded by the ransomware. If the new DLL is placed next to the ransomware executable, it will be executed instead of the malware. This can be used to intercept the malware and terminate it before it can encrypt any files.<\/span><\/span><\/span><\/p>\n

The researcher noted that the DLLs can be hidden \u2014 he does this in his PoC videos by using the Windows \u201cattrib +s +h\u201d command.<\/span><\/span><\/span><\/p>\n

\u201cEndpoint protection systems and\/or antivirus can potentially be killed prior to executing malware, but this method cannot as there\u2019s nothing to kill \u2014 the DLL just lives on disk waiting,\u201d Page explained<\/a>. \u201cFrom a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.\u201d<\/span><\/span><\/span><\/span><\/p>\n

Page told SecurityWeek<\/em> that some of the ransomware samples he tested are very recent, but noted that the method works against nearly every ransomware, comparing it to a \u201cPandora\u2019s box of vulnerabilities.\u201d<\/span><\/span><\/span><\/span><\/p>\n

The researcher has also published videos showing exploitation of the vulnerabilities for each ransomware. The videos show how the malware is prevented from encrypting files if a specially crafted DLL file is placed in the same folder as the ransomware executable.<\/span><\/span><\/span><\/span><\/p>\n