May 29, 2023

The well-known ransomware Revil has elevated its attack vector to change the victim’s login password in order to reboot the computer into Windows Safe Mode.

While malicious groups are always updating their attack methodology to counter security measures, the threat actors behind the REvil ransomware are particularly adopt at honing their malware to make their attack campaigns more efficient.

A new sample of the REvil ransomware that refines the new Safe Mode encryption method by changing the logged-on user’s password and configuring Windows to automatically login on reboot. When the -smode argument is used, the ransomware will change the user’s password to ‘DTrump4ever.‘

At the moment it is unknown whether or not the new samples of the REvil ransomware encryptor will continue to use the ‘DTrump4ever’ password, This new tactic illustrates the way ransomware gangs constantly evolve their strategies to successfully encrypt users’ devices and demand a ransom payment.

Asteelflash confirmed it has been the victim of a cybersecurity incident, recognizing the involvement of REvil ransomware. A whopping $24 million ransom after it was initially set to $12 million in Monero crypto was asked by the attackers , Since negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files.

1 thought on “Revil boots in to safe mode

Leave a Reply

%d bloggers like this: