The leader of the next generation cyber security, Sophos, shared its findings on the ransomware called AvosLocker in its research article titled “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode”. Sophos’ research clarifies how attackers were able to circumvent security controls by using a combination of Windows Safe Mode feature and AnyDesk remote administration tool, which allows attackers to disable most security and IT management tools while solving IT problems.
AvosLocker is a new service-oriented ransomware that first appeared in late June 2021 and is growing in popularity. Sophos Rapid Response team has so far encountered AvosLocker attacks targeting Windows and Linux systems in the Americas, Middle East and Asia Pacific region.
Peter Mackenzie, Sophos Incident Response Team Director, provides the details as follows:
“Those behind AvosLocker focus on disabling the security solution components and activating the ransomware after installing AnyDesk to run in Safe Mode on target systems. Thus, they have comprehensive remote control over all the systems they target. “We’ve never seen it used together in this way for this purpose. IT security teams facing such attacks need to be aware that the risk persists until traces of AnyDesk installations on all affected machines are cleared.”
How Does the Ransomware Distribution Process Work?
By observing the ransomware’s behavior, Sophos researchers found that the attack began when PDQ Deploy used PDQ Deploy to execute batch scripts named “love.bat”, “update.bat” or “lock.bat” on target machines. The scripts in question contain a series of sequential commands that prepare machines for ransomware distribution and restart them in Safe Mode.
The command process, which takes about five seconds, performs the following steps in sequence:
- Disabling windows update services and Windows Defender
- Trying to disable components of commercial security software solutions that can run in Safe Mode
- Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode, creating a command and control infrastructure that attackers can use
- Creating a new account with automatic logins and connecting to the target domain controller to remotely run the ransomware executable “update.exe”
Emphasizing that the techniques used by AvosLocker are simple but very clever, Mackenzie said, “The method used allows running the ransomware in Safe Mode and maintaining remote access of the attackers to the machines. As Sophos, we have seen Snatch and BlackMatter apply similar techniques before. However, these ransomware groups “None of them tried to install an app like AnyDesk for command and control of machines while in Safe Mode. This is the first time we’ve encountered such a situation.”
Sophos Intercept X and other Sophos endpoint security products can keep systems safe by detecting the behavior of AvosLocker ransomware and other attacks.
34171
