The Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt more of a victim’s files, even those that are opened and locked by another process. Ransomware is now using the Windows Restart Manager API to shut down processes or shut down Windows services keeping a file open during encryption. The API was created by Microsoft to make it easier to install software updates without performing a restart to free files that the updates need to replace. Both SamsSam and LockerGoga use the API in their malware as well.
Source: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-now-encrypt-open-and-locked-files/