A global leader in cybersecurity, Sophos has discovered new ransomware named AvosLocker. In this attack, hackers are using Windows Safe Mode and AnyDesk remote administration tool.
Windows Safe Mode is a very common method to operate a PC without using a password. In Safe Mode, we can’t access everything, but hackers found out that they can access AnyDesk. With AnyDesk, hackers got continuous remote access to computers.
Sophos revealed that AvosLocker attackers have installed AnyDesk, so it works in Safe Mode. They have disabled the security services that run in Safe Mode and then ran the ransomware in Safe Mode.
AvosLocker Ransomware Reboots in Safe Mode to Bypass Security Tools
In a statement, the director of incident response at Sophos, Peter Mackenzie, said,
“Sophos discovered that the AvosLocker attackers installed AnyDesk, so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organization is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together.”
AvosLocker was first founded in June 2021, it is a new ransomware service. The Sophos Rapid Response team has seen the AvosLocker attacks in America, the Middle East, and Asia-Pacific regions targeting Windows and Linux systems.
The researchers investigating the ransomware found that the attackers are using PDQ Deploy on targeted machines to run and execute the batch script called “love.bat,” “update.bat,” or “lock.bat”. The script provides a series of consecutive commands that makes the machines ready to release the ransomware and reboot in Safe Mode.
Peter Mackenzie said, “The techniques used by AvosLocker are simple but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack.”
The command sequence takes around five seconds to execute, and it disables the Windows update services and Windows Defender. Then it disables the components of security software solutions that run in Safe Mode.
Install the legal AnyDesk tool and set it to run in Safe Mode while connected to the network. The attackers make sure to continue running the command and control it, and then they set up a new account with auto-login details and connect to the target’s domain controllers to remotely access and run the ransomware called update.exe.