Skip to main content

Sodinokibi ransomware can now penetrate locked files

(Image credit: Image source: Shutterstock/Nicescene)

The Sodinokibi ransomware has gained a new feature that allows it to encrypt files that were previously out of its reach.

According to an Intel 471 report, the malware can now encrypt both locked files and those in use by other applications and processes, such as databases or mail servers.

Windows apps and services typically lock files to prevent two separate processes writing to the same file at once - and consequently corrupting it. However, to allow for software updates to be performed without a restart, Microsoft developed the Windows Restart Manager API, capable of closing processes that keep different files open.

Previously, Sodinokibi attempted to unlock all files before encrypting them, but wasn’t always successful. Now able to manipulate the Restart Manager API, its success rate is expected to skyrocket.

According to Bleeping Computer, Sodinokibi is not the only ransomware strain to exploit this API, with SamsSam and LockerGoga both already having trialled the practice.

In the first quarter of the year, ransom demands made by operators saw a significant rise, increasing by 33 per cent quarter-on-quarter. Meanwhile, the average ransom payout currently sits at $111,605, paid mostly by large enterprises.

The most potent ransomware families remain Sodinokibi, Ryuk and Phobos, with the former holding a quarter of the market share (26.7 percent).