This week in ransomware we learned of a new variant called DEVMAN. While this is worth understanding in its own right, it's not what I'm here to talk about this week. DEVMAN works (in part) by using the Windows Restart Manager API in order to unlock and encrypt files that would otherwise be locked because they are in use. Ransomware can only be effective if it takes control over this stuff as well. Historically, ransomware has normally used task killing approaches that weren't so elegant or effective. This approach has the added "benefit" of making DEVMAN more evasive, harder to detect, and leaves fewer traces.
Why do I mention this? Because the Windows Restart Manager API was designed to improve Windows reliability and performance. It makes restarts less annoying - which has been a huge multi-decade effort at Microsoft. But we need to look at the world as an attacker does if we hope to defend successfully. This is neither the first nor the last example we will see of, "living off the land". It is the norm for offensive technologies these days. But I do think it's useful to open our eyes to even more parts of an operating system that can be abused. This technique has been around for a couple of years now, but this is the first time I've seen it emerge in such a high-profile way. It's possible this could be solved with one fix from Microsoft, or this could become a normalised target like Mark-of-the-Web. We'll see! In any case, I think the more examples we see like this, the better we get at defending against these threats, so among a week of many security announcements, this stood out for me.
New DEVMAN Ransomware From DragonForce Attacking Windows 10 and 11 Users
