Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Vulnerabilities Allow Hijacking of Most Ransomware to Prevent File Encryption

A researcher has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems.

A researcher has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems.

Researcher John Page (aka hyp3rlinx) has been running a project called Malvuln, which catalogs vulnerabilities found in various pieces of malware.

The Malvuln project was launched in early 2021. SecurityWeek wrote about it in January 2021, when it only had two dozen entries, and again in June 2021, when it had reached 260 entries. As of May 4, 2022, Malvuln has cataloged nearly 600 malware vulnerabilities.

In the first days of May, Page added 10 new entries describing vulnerabilities found in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families.

The researcher found that these and likely other ransomware families are affected by DLL hijacking vulnerabilities. These types of flaws can typically be exploited for arbitrary code execution and privilege escalation by placing a specially crafted file in a location where it would get executed before the legitimate DLL.

In the case of ransomware, an “attacker” can create a DLL file with the same name as a DLL that is searched for and ultimately loaded by the ransomware. If the new DLL is placed next to the ransomware executable, it will be executed instead of the malware. This can be used to intercept the malware and terminate it before it can encrypt any files.

The researcher noted that the DLLs can be hidden — he does this in his PoC videos by using the Windows “attrib +s +h” command.

“Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting,” Page explained. “From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.”

Page told SecurityWeek that some of the ransomware samples he tested are very recent, but noted that the method works against nearly every ransomware, comparing it to a “Pandora’s box of vulnerabilities.”

The researcher has also published videos showing exploitation of the vulnerabilities for each ransomware. The videos show how the malware is prevented from encrypting files if a specially crafted DLL file is placed in the same folder as the ransomware executable.

The Malvuln database stores information on authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related and other types of vulnerabilities found in malware.

Page recently also unveiled Adversary3, an open source tool described as a “malware vulnerability intel tool for third-party attackers.” The tool is written in Python and it’s designed to make it easier to access data from the Malvuln database, allowing users to find vulnerabilities based on the exploit category.

The researcher says the tool could be useful in red teaming engagements. For example, the tester could look for devices hosting malware and leverage vulnerabilities in that malware to escalate privileges.

When the project was launched, some members of the cybersecurity community raised concerns that the information could be useful to malware developers, helping them fix vulnerabilities, some of which may have silently been exploited for threat intelligence purposes.

However, the ransomware vulnerabilities and the Adversary3 tool show that the project can also be useful to the cybersecurity community.

Related: University Project Cataloged 1,100 Ransomware Attacks on Critical Infrastructure

Related: Conti Ransomware Activity Surges Despite Exposure of Group’s Operations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.