This dangerous ransomware changes your Windows passwords, then encrypts your PC

Ransomware affects everyone, from the average computer user to schools and from hospitals to massive corporations, leaving a trail of destruction in its wake. While most forms of ransomware simply encrypt the files on your computer and demand payment in exchange for the key, there are variations like the REvil ransomware that have adapted to change your Windows 10 login passwords.

The group behind the infamous REvil ransomware, also known as Sodinokibi (operating as a Ransomware as a Service) has previously “adapted” the malware and used it to threaten victims into accepting ransom demands by claiming they had “footage” of the person watching pornographic material. They were also the team who allegedly compromised a computer manufacturer's systems.

You may be interested in

LaptopsTablets

27% OFF

Microsoft Surface Studio A1Y 00022

• Platinum Silver
• 16 GB LPDDR4X RAM
• 512 GB SSD

₹179,990₹245,900

Buy now

7% OFF

Microsoft Surface Pro 8 8PV 00029

• Graphite Black
• 16 GB DDR4 RAM
• 256 GB SSD

₹139,999₹149,999

Buy now

47% OFF

Microsoft Surface 4 5UI 00049

• Platinum Silver
• 8 GB DDR4 RAM
• 256 GB SSD

₹98,000₹186,500

Buy now

28% OFF

Microsoft Surface Pro 7 M1866 VDH 00013

• Platinum
• 4 GB LPDDR4X RAM
• 128 GB SSD

₹74,000₹102,990

Buy now

34% OFF

Xiaomi Pad 6

• Mist Blue
• 6 GB RAM
• 128 GB Storage

₹26,299₹39,999

Buy now

55% OFF

Lenovo Tab M10 5G

• Abyss Blue
• 6 GB RAM
• 128 GB Storage

₹20,999₹47,000

Buy now

32% OFF

Realme Pad 2

• Imagination Grey
• 6 GB RAM
• 128 GB Storage

₹19,749₹28,999

Buy now

Honor Pad X9

• Gray
• 4 GB RAM
• 128 GB Storage

₹14,999

Check details

Also read: Ransomware gangs emailing customers of victims to extort them

According to a new report by Tech Radar, the group recently adapted the malware yet again, to change your Windows 10 logins to let the device enter Safe Mode. Once a device is in Safe Mode, only core Windows system services are allowed to run, to allow a user to verify and troubleshoot their systems. Here's when the ransomware takes advantage of this limited system to carry out its nefarious activities.

As the computers regular security mechanisms are not functional in Safe Mode, the ransomware can operate in an uninhibited manner and other volume mirroring and data protection methods employed by the user would also be deactivated, according to the report. This essentially means that the REvil ransomware would be able to run unfettered and take advantage of the system before it was rebooted again.

Read more: Ransomware tops US cyber priorities, Homeland secretary says

The report says that the re-worked version of the ransomware actually automates the process of rebooting the computer too, by changing the user password to “DTrump4ever” and then set up the computer to log in with the proper credentials. This would eliminate the process of having to wait for the user to try and reboot in safe mode, and probably guarantees that a PC can be compromised using this method.