Although malware developers are good at using various software and hardware vulnerabilities to achieve their goals, the finished products they spread are not flawless For example, recently, security researcher John Page (also known as hyp3rlinx) introduced a new routine of anti blackmail software According to the content published on personal websites and twitter accounts, John Page specializes in finding vulnerabilities in malware itself and recently shared methods to prevent blackmail software from encrypting victim files.
Video screenshot (from malvuln / YouTube)
It is reported that many blackmail software will be affected by DLL hijacking. Usually, attackers will use this dynamic link library to trick programs into loading to run the malicious code they expect.
But on second thought, you can also make rational use of this technology to "anti hijack" and prevent some types of blackmail software.
Ransom WannaCry - Code Execution Vulnerability(via)
John Page shared details of vulnerabilities and custom DLLs against the latest version of malware such as Revil, wannacry and conti on the website.
It can be seen that to successfully unravel, the DLL needs to wait in the potential directory where the attacker may place malware.
Screenshot (from malvuln website)
John page also recommends a layered strategy, such as placing it on network sharing containing important data.
Since DLLs are not called before ransomware accesses them, this can ignore ransomware activities that bypass anti-virus software protection.
Unfortunately, the DLL anti hijacking routine is only applicable to Microsoft Windows Operating system, which cannot be easily copied to Mac, Linux or Android platforms.
In addition, it can only try to avoid being blackmailed to encrypt files, but can not prevent the attacker from accessing the system and divulging data.