In short: Malicious software works by exploiting vulnerabilities in software and hardware. However, malware itself is also software and inevitably has its own vulnerabilities. One security researcher has taken advantage of this by publishing exploits that exploit vulnerabilities in several strains of ransomware.
Security researcher John Page (also known as hyp3rlinx) specializes in finding malware bugs and publishing them on his website. Web site and Twitter account. He recently published a way to exploit these vulnerabilities to prevent ransomware from encrypting files.
As it turns out, many types of ransomware are susceptible to DLL interception. Typically, attackers use DLL hijacking to force a program to load a DLL file that is not intended for it, which causes them to run unwanted code. However, defenders can currently use this technique to capture and partially block ransomware.
Page’s website contains vulnerabilities and custom DLLs for the latest ransomware, including REvil, Wannacry, Conti, and others. To work properly, DLLs must reside in directories where attackers can place their malware. Page offers a layered approach, such as placing them in a network folder containing sensitive data. Because DLLs do not run until ransomware gains access to them, they bypass ransomware’s tendency to undermine antivirus protection.
DLL interception only works on Windows, so unfortunately Page’s method won’t protect Mac, Linux, or Android users. It also does not prevent ransomware gangs from accessing systems and leaking data. It only stops encryption, which means that attackers cannot ransom their victims’ data (unless they are in danger of being leaked).
Now that these vulnerabilities are public, ransomware developers will be sure to fix them. Hopefully researchers continue to find more.
Credit: www.techspot.com /