A cyber security researcher has analysed leading ransomware samples and found a simple trick to stop them from executing their file encryption process on targeted machines.
Vulnerable samples including Conti, REvil, AvosLocker, WannaCry, and LockBit were all tested and found to be vulnerable to dynamic link library (DLL) hijacking.
It means businesses concerned about ransomware attacks can deploy mitigation to help prevent future ransomware attacks launched with these specific strains that are vulnerable to DLL hijacking.
The security researcher, known by the handle hyp3rlinx, said the specially crafted hijacked DLL file can be placed in a location the user believes the ransomware is likely to embed itself in the environment, such as the C drive in Windows, and have it lay dormant until an infection is attempted.
The ransomware’s file encryption process should stop once it executes its infection DLL since the hijacked DLL will end all the malicious processes leaving just the decryption instructions in the file location.
“Conti looks for and executes DLLs in its current directory,” said hyp3rlinx in a published advisory. “Therefore, we can potentially hijack a vulnerable DLL execute our own code, control and terminate the malware pre-encryption.
“The exploit DLL will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware’s own vulnerability will do the work for us.”
The explanations of how the mitigation works are the same across the different leading ransomware strains, according to the researcher’s advisories.
It’s unclear what samples of the ransomware families the researcher used in their analysis, but it’s unlikely that all known strains will be vulnerable to DLL hijacking.
For example, experts have told IT Pro that multiple different strains of WannaCry ransomware have been observed in the wild since it infected swathes of computers worldwide almost five years ago, with some being modified to eliminate the ‘kill switch’ vulnerability.
The likes of Conti and REvil have also closed their operations, although the latter is rumoured to be making a return, the ransomware programs are still searchable on the dark web and can be distributed by cyber criminals, whether they are affiliated with the original gang or not.
This means the threat of these now-defunct ransomware strains is still present and the DLL hijacking vulnerability could serve businesses in the case of an attack.
DLL hijacking is a Windows-exclusive phenomenon and refers to how some Windows applications search and load DLL files.
DLL files are at the core of some applications’ functionality and can be seen as fragments of a program. They often come pre-loaded on a Windows machine, allowing other applications to use them to provide common functions like looking up domain names, so developers don’t have to code that functionality into their software each time.
By placing a hijacked DLL file in a location that falls within the search parameters of a vulnerable application, such as these vulnerable ransomware samples, defenders can hijack and terminate the encryption process.
“Malware or ransomware relies on a computational environment and has deep dependencies in code which also involves using Dynamic Link Libraries,” said Kevin Curran, IEEE senior member and professor of cyber security at Ulster University to IT Pro.
RELATED RESOURCE
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
“These DLLs are specific to certain operating systems, whilst others use a similar method of invoking external code to execute functionality. The motivation behind DLLs is rather clever, it acts as a way to minimise memory usage so applications can also share this critical code,” he added.
“Researchers have discovered that they can ‘hijack’ a DLL by placing a ‘benign’ code inside the DLL which is used by the ransomware to encrypt the data. This is the main objective of ransomware, to encrypt all valuable data on a device as the replaced DLL basically halts the critical encryption process.
“This will prove useful in the long run as the creators of the leading ransomware will undoubtedly overcome this new mitigation. It does, however, provide a glimpse of hope in that we can to the best of our abilities, continue to mitigate the damage and threat posed by ransomware attacks.”
Hyp3rlinx said the processes of installed security products like antivirus programs and endpoint protection solutions can potentially be killed by the ransomware’s payload upon execution but this mitigation will not impact such solutions since the DLL lies on the disk waiting.
A full list of the advisories relating to the vulnerable ransomware strains can be found below:
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
