A researcher by the name of hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, and many others, have a flaw that makes them vulnerable to DLL hijacking.
By exploiting the flaw, the researcher was able to prevent the ransomware from achieving its main selling proposition: file encryption.
As reported by BeepComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept and recorded a demo video showing how it’s done.
DLL hijacking exploits the way applications find and load memory in Dynamic Link Library (DLL) files. A program that lacks sufficient checks can load a DLL from a path outside of its directory, essentially elevating privileges and allowing execution of arbitrary code.
In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It’s also important, the researcher points out, that the DLL be placed in a location where ransomware operators typically place and run their malware, such as a network location with key data.
This would kill the ransomware upon its creation.
What makes this method even deadlier is the fact that it cannot be categorized as a security solution and as such cannot be circumvented in the same way that ransomware strains typically circumvent. antivirus and other cybersecurity solutions.
The big question is – how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if it’s a newly discovered flaw, it’s probably only a matter of time before it’s fixed.
Unfortunately, ransomware operators are pretty quick and diligent, and we can expect the hole to be plugged sooner rather than later.