HomesecuritySodinokibi ransomware can now encrypt and lock files

Sodinokibi ransomware can now encrypt and lock files

Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt most of a victim's files, even those that are open and lock in another process.

Some applications, such as databases or mail servers, will lock files that have been opened so that other programs cannot modify them. These "file locks" prevent their destruction data from two processes that can be performed in a file at the same time.

When a file is locked, it also prevents the application of encrypting ransomware applications without first terminating the process that locks the file.

For this reason, many ransomware infections will try to shut down database servers, mail servers and others applications performing file lock before encrypting a computer.

Sodinokibi automatically terminates the process of locking a file

While many ransomware try to shut down the most common applications that are known to lock files, they will not be able to close them all.

In a new report by the intelligence company Intel471 on cybercrime, the researchers found that Sodinokibi now uses the Windows Restart Manager API to close their processes or services. Windows keeping a file open during it encryption.

This API was created by Microsoft to make it easier to install software updates without having to restart free files that need to be replaced by updates.

“The Restart Manager API can eliminate or reduce the number of system reboots required to complete an installation or update. The main reason why software updates require its restart systemic when installing or updating is that some of the currently updated files are being used by a current application or service. Restart Manager allows all but critical system services to shut down and restart. This frees up used files and allows the installation process to be completed, ”she explains Microsoft in the API documentation.

In addition to using the API when encrypting files, ransomware developers also use it on their decryptor.

As noted by security researcher Vitali Kremez, in the REvil Decryptor v2.2, shown above, the Windows Restart Manager API is used to make sure none procedure does not keep a file open when the decryptor tries to decrypt it.


Sodinokibi / REvil are not the first ransomware families to use this API in malware as well as SamsSam and LockerGoga they also use it.

Unfortunately, the use of this API by ransomware infections has both disadvantages and advantages.

It will be easier for victims to decrypt files after paying ransom, but Sodinokibi will now be able to encrypt more files, especially critical ones.

Teo Ehc
Be the limited edition.