A lone-wolf researcher has turned the table on the hackers

A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.

By exploiting the flaw, the researcher was able to prevent the ransomware from its key selling proposition - encrypting files. 

As reported by BleepingComputer, DLL hijacking is usually used to inject malicious codes into legitimate applications. For these ransomware strains, however, the researcher created a proof of concept, and recorded a demo video showcasing how it’s done. 

DLL hijacking

DLL hijacking exploits how apps search and load memory in the Dynamic Link Library (DLL) files. A program that does not have enough checks can load a DLL from a path outside its directory, essentially elevating privileges and allowing for arbitrary code execution. 

In this case, the researcher created a unique code and compiled it into a DLL with a name familiar to the ransomware. It is also important, the researcher stresses, that the DLL is placed in a location where ransomware operators usually place and run their malware, such as a network location with key data. 

That would kill the ransomware in its inception.

What makes this method even more deadly is the fact that it can’t be classified as a security solution, and as such, cannot be bypassed in the way ransomware strains usually bypass antivirus and other cybersecurity solutions. 

The big question is - how long will this mitigation measure last? Ransomware operators often update and upgrade their products, and if this is a newly discovered flaw, it’s probably only a matter of time before it gets patched up. 

Unfortunately, ransomware operators are quite fast and diligent, and we can expect the hole to be plugged sooner, rather than later.

• Defend your devices from ransomware with the best endpoint protection services right now

Via: BleepingComputer