A relatively new ransom-ware as a service, AvosLocker first appeared in late June 2021 and is growing in popularity
A new research about AvosLocker ransom-ware has been released by Sophos, a global leader in next-generation cyber-security, in the article, “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode”. How attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool has been explained in Sophos’ research. While AnyDesk provides continuous remote access, windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools.
A relatively new ransom-ware as a service, AvosLocker first appeared in late June 2021 and is growing in popularity, according to Sophos. In the Americas, Middle East and Asia-Pacific, the Sophos Rapid Response team has so far seen AvosLocker attacks targeting Windows and Linux systems.
“Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransom-ware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organisation is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransom-ware, and certainly not together”, said Peter Mackenzie, Director of Incident Response at Sophos. “The message for IT security teams facing such an attack is that even if the ransom-ware fails to run, until they clean every trace of the attackers’ AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organisation’s network and can lock them out again at any time”.
The Ransom-ware Deployment Process:
Sophos researchers investigating the ransom-ware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransom-ware and then reboots into Safe Mode.
The command sequence takes approximately five seconds to execute and includes the following:
- Disabling Windows update services and Windows Defender
- Attempting to disable the components of commercial security software solutions that can run in Safe Mode
- While connected to the network, installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode, ensuring continued command and control by the attacker
- To remotely access and run the ransom-ware executable, called update.exe, setting up a new account with auto login details and then connecting to the target’s domain controller
“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransom-ware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack”, said Mackenzie. “Sophos has reported on Snatch and BlackMatter implementing the technique, however, neither of these ransom-ware groups attempted to install a subsequent application, such as AnyDesk, for command and control of the machines while in Safe Mode. We believe we’re seeing this for the first time”.
Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviours of ransom-ware and other attacks, such as those described in this Sophos research.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.