REvil ransomware automatically logs Windows into Safe Mode

by Sinziana Mihalache
Sinziana Mihalache
Sinziana Mihalache
Sînziana loves getting people to better understand products, processes, and experiences beyond a simple user guide, either in writing or making use of images. She joined the team... read more
Affiliate Disclosure
  • If a device has been infected with the REvil ransomware, auto-login into Safe Mode ensures upon reboot.
  • With the latest changes implemented in the malicious code, no action is needed from the user.
  • The best protection against this type of ransomware attack stays a reliable antivirus.
  • Reports show that most antivirus tools can detect REvil ransomware attacks even after the modifications.
revil ransomware forced reboot

Recent security research revealed that REvil/Sodinokibi ransomware has refined its attack tactics to ensure access to the victims’ operating systems.

The applied changes modify the user’s system login password and force a system reboot only to allow the malware to encrypt the files. Both older and newer Windows operating systems can be affected.

The results of the were published by researcher R3MRUN on his Twitter account.

How does REvil ransomware act to force Safe Mode login?

Before the change, the ransomware would have used an -smode command-line argument to reboot the device into Safe Mode, but it needed the user to manually access that environment.

This is a sneaky and new cyberattack method, considering that Safe Mode is supposed to be…safe and is even recommended as a secure environment for malware cleaning in case of system corruption.

More so, while in Safe Mode, processes aren’t interrupted by security software or servers.

To avoid raising suspicions, the ransomware code has been conveniently modified. Now along using the -smode argument, the ransomware also changes the user’s password to DTrump4ever, the messages show.

Consequently, the malicious file modified some Registry entries and Windows automatically reboots with the new credentials.

The used code is believed to be the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

The researcher also pointed out two VirusTotal sources with and without the modified sample of the attack. The surest way to protect your system against such an attempt remains a reliable antivirus.

Get ESET Internet Security

ESET was one of the 70 security tools that were tested to discover the REvil ransomware (modified or not); 59 solutions detected it.

So make sure to install a reliable antivirus and enable real-time protection for your system. As always, we also advise that you avoid suspicious online websites or sources.

This article covers:Topics: