"Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption"
A researcher named John Page has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems. The researcher has been running a project called Malvuln, which catalogs vulnerabilities found in various pieces of malware. As of May 4, 2022, Malvuln has cataloged nearly 600 malware vulnerabilities. In the first days of May, Page added ten new entries describing vulnerabilities found in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. The researcher found that these and likely other ransomware families are affected by DLL hijacking vulnerabilities. The researcher noted that these types of flaws can typically be exploited for arbitrary code execution and privilege escalation by placing a specially crafted file in a location where it would get executed before the legitimate DLL. In the case of ransomware, an “attacker” can create a DLL file with the same name as a DLL that is searched for and ultimately loaded by the ransomware. If the new DLL is placed next to the ransomware executable, it will be executed instead of the malware. This can be used to intercept the malware and terminate it before it can encrypt any files. The researcher stated that the DLLs can be hidden using the Windows “attrib +s +h” command. John noted that endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill, the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.