A new feature has been added to Sodinokibi ransomware that allows it to further encrypt a victim's files, including those that are opened and locked by another process. Databases, mail servers, and some other applications lock open files to prevent other programs from modifying them. By locking these files, programs prevent corruption of the data they contain after two processes simultaneously write to a file. Ransomware applications also cannot encrypt locked files without first stopping the process that locked them. For this reason, ransomware will try to shut down database servers, mail servers, and other applications that have the ability to lock files before encrypting a computer. Sodinokibi ransomware version 2.2 now contains a feature that allows you to use the Windows Restart Manager API to kill processes or stop Windows services that keep files open during encryption.
Sodinokibi rearranged
Cybercrime intelligence company Intel471 provided more details about how Sodinokibi (REvil) ransomware uses Windows Restart Manager to further encrypt files in a new report, saying: “One of the most exciting new features in REvil version 2.2 is the use of from the Windows restart manager to end processes and services that may lock files intended for encryption. If a process has a file descriptor open for a specific file and is then written to by another file (in this case, ransomware), the Windows operating system (OS) will prevent it. To fix this problem, REvil developers have implemented a technique using the Windows reboot manager which is also used by other ransomware such as SamSam and LockerGoga. "The Windows Restart Manager API was originally created by Microsoft to allow Windows PCs to easily install software updates without first rebooting to free up the files the update will replace. Now that Sodinokibi is using the software giant's API, victims they will be able to decrypt the files more easily after paying a ransom, but most of their files will end up being encrypted by the ransomware.Via BleepingComputer