When a file is open or locked, most ransomware applications can’t encrypt them without first shutting down the process involved. Applications like database or mail servers lock open files so that other programs can’t modify them. The lock prevents data from being corrupted by two processes writing to a file at the same time. But now the Sodinokibi (aka REvil) ransomware has a new feature for terminating processes that have locked a file, meaning it can encrypt such a file. Researchers from cyber crime intelligence firm Intel471 spotted Sodinokibi using the Windows Restart Manager API to close processes or shut down Windows services keeping a file open during encryption. Sodinokibi is not the first ransomware families to utilize this API in their malware as both SamsSam and LockerGoga use it as well. Read the article at Bleeping Computer.
WaterISAC reported on an FBI Private Industry Notification (PIN) for Sodinokibi for its April 2, 2020 Security and Resilience Update. The PIN advised on new tactics for this ransomware and also contained a list of actions to prevent organizations from becoming victims.