Ransomware affects everyone, from the average computer user to schools and from hospitals to massive corporations, leaving a trail of destruction in its wake. While most forms of ransomware simply encrypt the files on your computer and demand payment in exchange for the key, there are variations like the REvil ransomware that have adapted to change your Windows 10 login passwords.
The group behind the infamous REvil ransomware, also known as Sodinokibi (operating as a Ransomware as a Service) has previously “adapted” the malware and used it to threaten victims into accepting ransom demands by claiming they had “footage” of the person watching pornographic material. They were also the team who allegedly compromised a computer manufacturer’s systems.
Also read: Ransomware gangs emailing customers of victims to extort them
According to a new report by Tech Radar, the group recently adapted the malware yet again, to change your Windows 10 logins to let the device enter Safe Mode. Once a device is in Safe Mode, only core Windows system services are allowed to run, to allow a user to verify and troubleshoot their systems. Here’s when the ransomware takes advantage of this limited system to carry out its nefarious activities.
As the computers regular security mechanisms are not functional in Safe Mode, the ransomware can operate in an uninhibited manner and other volume mirroring and data protection methods employed by the user would also be deactivated, according to the report. This essentially means that the REvil ransomware would be able to run unfettered and take advantage of the system before it was rebooted again.
Read more: Ransomware tops US cyber priorities, Homeland secretary says
The report says that the re-worked version of the ransomware actually automates the process of rebooting the computer too, by changing the user password to “DTrump4ever” and then set up the computer to log in with the proper credentials. This would eliminate the process of having to wait for the user to try and reboot in safe mode, and probably guarantees that a PC can be compromised using this method.