A new feature has been added to the Sodinokibi ransomware that allows it to encrypt even more of a victim’s files including those that are opened and locked by another process.
Databases, mail servers and some other applications will lock files that they have open to prevent other programs from modifying them. By locking these files, the programs prevent the data they contain from being corrupted as a result of two processes writing to a file at the same time.
Ransomware applications are also unable to encrypt locked files without first shutting down the process that locked them in the first place. For this reason, ransomware will try to shut down database servers, mail servers and other applications that have the ability to lock files before encrypting a computer.
Version 2.2 of the Sodinokibi ransomware now contains a feature that allows it to use the Windows Restart Manager API to close processes or shut down Windows services which keep files open during encryption.
The cybercrime intelligence firm Intel471 provided more details on how the Sodinokibi (REvil) ransomware is using the Windows Restart Manager to encrypt even more files in a new report, saying:
“One of the more interesting new features of REvil version 2.2 is the use of the Windows Restart Manager to terminate processes and services that can lock files targeted for encryption. If a process has an open file handle for a specific file, then writes to that file by another process (in this case, a ransomware) it will be prevented by the Windows operating system (OS). To circumvent this, the REvil developers have implemented a technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga.”
The Windows Restart Manager API was originally created by Microsoft in order to allow Windows PCs to easily install software updates without first performing a restart in order to free files that the update will replace.
Now that Sodinokibi is using the software giant’s API, victims will be able to more easily decrepit files after paying a ransom but more of their files will end up being encrypted by the ransomware.