A lone-wolf researcher has turned the table on the hackers

A researcher by the name of hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, and many others, have a flaw that makes them vulnerable to DLL hijacking.

By exploiting the flaw, the researcher was able to prevent the ransomware from achieving its main selling proposition: file encryption.

As reported by BeepComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept and recorded a demo video showing how it’s done.

Hacking DLLs

DLL hijacking exploits the way applications find and load memory in Dynamic Link Library (DLL) files. A program that lacks sufficient checks can load a DLL from a path outside of its directory, essentially elevating privileges and allowing execution of arbitrary code.

In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It’s also important, the researcher points out, that the DLL be placed in a location where ransomware operators typically place and run their malware, such as a network location with key data.

This would kill the ransomware upon its creation.

What makes this method even deadlier is the fact that it cannot be categorized as a security solution and as such cannot be circumvented in the same way that ransomware strains typically circumvent. antivirus and other cybersecurity solutions.

The big question is – how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if it’s a newly discovered flaw, it’s probably only a matter of time before it’s fixed.

See also  The crypto theft problem is getting worse and worse

Unfortunately, ransomware operators are pretty quick and diligent, and we can expect the hole to be plugged sooner rather than later.

Via: BleepingComputer

Leave a Comment