Vulnerabilities That Allow Hijacking of Most Ransomware to Prevent File Encryption

A cyber-attack is a malicious attack undertaken by cybercriminals against single or numerous computers, computer systems, networks, or infrastructures utilizing one or more computers. The goal is to interrupt the victim’s business operations or steal important information. Individuals, corporations, governments, and critical infrastructure are potential cyber-attack targets.

To breach a company, ransomware attackers utilize a variety of methods. Phishing emails are one way to do it. The use of brute-force attacks is another option. However, one always popular approach is to take advantage of a known security flaw. A researcher has demonstrated how a vulnerability common to several ransomware families can help take control of the malware and stop it from encrypting files on infected devices.

John Page (aka hyp3rlinx) is the researcher who has demonstrated how a vulnerability that affects several ransomware families may be exploited to control and eliminate the malware before it encrypts files on vulnerable devices.

Malvuln is a project developed by the researcher that catalogs vulnerabilities uncovered in various malware. Malvuln is a project developed by the researcher that catalogs vulnerabilities revealed in multiple kinds of malware. It was launched early in 2021, when there were only two dozen entries, and again in June 2021, it had reached 260. Malvuln had almost 600 malware vulnerabilities as of May 4, 2022.

Page uploaded ten new posts in the first several days of May, detailing vulnerabilities in the Conti, Loki Locker, REvil, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families.

According to the researcher, DLL hijacking flaws affect these and potentially other ransomware families. When they are carefully placed in a designed file in a location to be run before the genuine DLL, these weaknesses are vulnerable to exploitation for arbitrary code execution and privilege escalation.

When it comes to ransomware, an “attacker” can make a DLL file with the same identity as the malware’s DLL. Suppose the new DLL is placed next to the ransomware executable. In that case, it will be executed instead of the harmful DLL, allowing the virus’s owner to manage and kill the malware before any files are encrypted.

He has published videos that show how to exploit the ransomware’s flaws. The videos demonstrate how a specially constructed DLL file installed in the same folder as the ransomware executable prevents the malware from encrypting files.

Authentication bypass, hardcoded credentials, command/code execution, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other types of vulnerabilities detected in malware are all stored in the Malvuln database.

Page recently released Adversary3, an open-source Python application that makes it easier to retrieve data from the Malvuln database, letting users search for vulnerabilities by attack type.

According to the researcher, the technology could be valuable in red teaming operations. For instance, the tester could search for devices infected with malware and exploit vulnerabilities in that software to gain elevated privileges.

Page previously told SecurityWeek that he maintains the Malvuln project for the sheer joy and doesn’t care if the data is beneficial to anyone. Upon the first announcement of the project, certain members of the cybersecurity community expressed worry that the data could be helpful to malware makers in helping them address vulnerabilities, some of which may have been used for threat intelligence purposes without their knowledge.

Summary

According to this research, it is clear that when it comes to cyber security, the best method of defense against ransomware is to be proactive rather than reactive. All organizational users need to have relevant information about typical security threats and procedures regularly.

Users must be taught about the dangers of opening unsolicited links and files in emails, as this is a systematic way for ransomware to spread.