A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.
By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition – encrypting files.
As reported by BleepingComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept, and recorded a demo video showcasing how it’s done.
DLL hijacking
DLL hijacking exploits how apps search and load memory in the Dynamic Link Library (DLL) files. A program that does not have enough checks can load a DLL from a path outside its directory, essentially elevating privileges and allowing for arbitrary code execution.
In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It is also important, the researcher stresses, that the DLL is placed in a location where ransomware operators usually place and run their malware, such as a network location with key data.
That would kill the ransomware in its inception.
What makes this method even more deadly is the fact that it can’t be classified as a security solution, and as such, cannot be bypassed in the way ransomware strains usually bypass antivirus and other cybersecurity solutions.
The big question is – how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if this is a newly discovered flaw, it’s probably only a matter of time before it gets patched up.
Unfortunately, ransomware operators are quite fast and diligent, and we can expect the hole to be plugged sooner, rather than later.
Via: BleepingComputer