REvil ransomware has a new ‘Windows Safe Mode’ encryption mode

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,320
The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.

Windows Safe Mode is a special startup mode that allows users to run administrative and diagnostic tasks on the operating system. This mode only loads the bare minimum of software and drivers required for the operating system to work.

Furthermore, any programs installed in Windows that are configured to start automatically will not start in Safe Mode unless their autorun is configured a certain way.
In a new sample of the REvil ransomware discovered by MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device.