In the post “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode,” Sophos published new findings on the AvosLocker malware. Attackers try to get around security controls by employing a combination of Windows Safe Mode and the AnyDesk remote administration application, according to Sophos’ study. While AnyDesk allows continuous remote access, Windows Safe Mode is an IT support solution for resolving IT issues that disables most security and IT administration features.
According to Sophos, AvosLocker is a relatively new ransomware-as-a-service that first appeared in late June 2021 and is rising in popularity. Sophos Rapid Response has witnessed AvosLocker assaults targeting Windows and Linux systems in the Americas, the Middle East, and Asia-Pacific.
“Sophos discovered that the Avos Locker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organization is likelylocked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together,” said Peter Mackenzie, director of incident response at Sophos .
He added, “The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean every trace of the attackers’ AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organization’s network and can lock them out again at any time.”
“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Mackenzie.
He added, “Sophos has reported on Snatch and BlackMatter implementing the technique, however, neither of these ransomware groups attempted to install a subsequent application, such as AnyDesk, for command and control of the machines while in Safe Mode. We believe we’re seeing this for the first time.”
The core process begins with attackers utilising PDQDeploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted devices, according to Sophos experts analysing the ransomware distribution. The script issues and executes a series of commands that prepare the machines for the ransomware’s release before rebooting into Safe Mode.
The following commands are included in the command sequence, which takes about five seconds to complete:
• Attempting to block components of commercial security software solutions that can run in Safe Mode by disabling Windows update services and Windows Defender
• Setting up the legitimate remote administration toolAnyDesk to run in Safe Mode while connected to the network, allowing the attacker to maintain command and control.
• Creating a new user with auto-login credentials, then connecting to the target’s domain controller to remotely access and execute the ransomware executable, update.exe
Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research.
