Security researcher uses exploits in ransomware to block encryption

Daniel Sims

Posts: 448   +18
Staff
In brief: Malware works by exploiting vulnerabilities in software and hardware. However, malware itself is also software, and inevitably has its own vulnerabilities. One security researcher has started taking advantage of this by publishing exploits using vulnerabilities in multiple strains of ransomware.

Security researcher John Page (aka hyp3rlinx) specializes in finding bugs in malware and publishing them on his website and Twitter account. Recently he published a way to use those vulnerabilities to stop ransomware from encrypting files.

As it turns out, many forms of ransomware are susceptible to DLL hijacking. Normally, attackers use DLL hijacking to trick a program into loading a DLL file it isn't supposed to which makes them run unwanted code. However, defenders can currently use the technique to hijack and partially block ransomware.

Page's website contains vulnerabilities and custom DLLs for the latest versions of ransomwares including REvil, Wannacry, Conti, and more. To work properly, the DLLs need to be waiting in directories where attackers are likely to place their malware. Page suggests a layered approach, like placing them on a network share containing important data. Because the DLLs don't run until the ransomware accesses them, they sidestep ransomware's tendency to subvert antivirus protection.

DLL hijacking only works on Windows, so unfortunately Page's method won't protect Mac, Linux, or Android users. It also doesn't stop ransomware gangs from accessing systems and leaking data. It only stops encryption, meaning attackers can't ransom their victims' data (unless the threat is to leak it).

With these vulnerabilities now public, ransomware developers will certainly patch them. Hopefully researchers continue to find more.

Permalink to story.