A lone-wolf researcher has turned the table on the hackers

A researcher by the name of hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, and many others, have a flaw that makes them vulnerable to DLL hijacking.

By exploiting the flaw, the researcher was able to prevent the ransomware from achieving its main selling proposition: file encryption.

As reported by BeepComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept and recorded a demo video showing how it’s done.

Hacking DLLs

DLL hijacking exploits the way applications find and load memory in Dynamic Link Library (DLL) files. A program that lacks sufficient checks can load a DLL from a path outside of its directory, essentially elevating privileges and allowing execution of arbitrary code.

In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It’s also important, the researcher points out, that the DLL be placed in a location where ransomware operators typically place and run their malware, such as a network location with key data.

This would kill the ransomware upon its creation.

What makes this method even deadlier is the fact that it cannot be categorized as a security solution and as such cannot be circumvented in the same way that ransomware strains typically circumvent. antivirus and other cybersecurity solutions.

The big question is – how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if it’s a newly discovered flaw, it’s probably only a matter of time before it’s fixed.

Unfortunately, ransomware operators are pretty quick and diligent, and we can expect the hole to be plugged sooner rather than later.

Via: BleepingComputer

Leave a Comment