Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
REvil ransomware has a new ‘Windows Safe Mode’ encryption mode
#1
Quote:The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.

Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system. This mode only loads the bare minimum of software and drivers required for the operating system to work.


Furthermore, any programs installed in Windows that are configured to start automatically will not start in Safe Mode unless their autorun is configured a certain way.

One of the ways to create an autorun in Windows is to create entries under the following Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


The 'Run' keys will launch a program every time you log in, while the 'RunOnce' key will launch a program only once and then remove the entry from the Registry.

More info HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Windows Update Ransomware tarekma7 0 1,507 05-14-2022 , 08:28 AM
Last Post: tarekma7
  Kaseya patches VSA vulnerabilities used in REvil ransomware attack tarekma7 0 1,542 07-12-2021 , 03:18 PM
Last Post: tarekma7
  Analysis of .NET Thanos Ransomware Supporting Safeboot with Networking Mode tarekma7 0 1,490 07-18-2020 , 12:17 AM
Last Post: tarekma7
  Try2Cry ransomware tries to worm its way to other Windows systems tarekma7 0 2,125 07-10-2020 , 11:09 PM
Last Post: tarekma7

Forum Jump:


Users browsing this thread: 1 Guest(s)