AvosLocker Ransomware Uses AnyDesk In Safe Mode To Launch Attacks

Sophos, a leader in next-generation cybersecurity, released new research about AvosLocker ransomware in the article, AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode.

The report explains how Sophos Rapid Response discovered that the attackers had booted their target computers into Safe Mode to execute the ransomware, as the operators of the now-defunct Snatch, REvil, and BlackMatter ransomware families had done in attacks we’ve documented here.

The reason for this is that many, if not most, endpoint security products do not run in Safe Mode — a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.

Sophos’ research explains how attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool. Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.

AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.

Also Read: The Rise In Automation In The Middle East

“The Avos Locker attackers were not only rebooting the machines into Safe Mode for the final stages of the attack; They also modified the Safe Mode boot configuration so they could install and use the commercial IT management tool AnyDesk while the Windows computers were still running in Safe Mode. Normally, third party software would be disabled on a computer that had been rebooted into Safe Mode, but these attackers clearly intended to continue to remotely access and control the targeted machines unimpeded,” the report states.

Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.

The command sequence takes approximately five seconds to execute and includes the following:

  • Disabling Windows update services and Windows Defender
  • Attempting to disable the components of commercial security software solutions that can run in Safe Mode
  • Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker
  • Setting up a new account with auto login details and then connecting to the target’s domain controller to remotely access and run the ransomware executable, called update.exe

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviours of ransomware and other attacks, such as those described in this Sophos research.