A world leader in cybersecurity, Sophos has discovered new ransomware called AvosLocker. In this attack, the hackers using Windows safe mode and AnyDesk remote administration tool.
Windows Safe Mode is a very common method of operating a PC without using a password. In safe mode, we cannot access everything, but hackers found that they can access AnyDesk. With AnyDesk, hackers gained continuous remote access to computers.
Sophos revealed that AvosLocker attackers have installed AnyDesk, so it works in safe mode. They have disabled the security services running in safe mode and then they have run the ransomware in safe mode.
AvosLocker Ransomware restarts in safe mode to bypass security tools
In a statement, Sophos Incident Response Director Peter Mackenzie said:
“Sophos discovered that AvosLocker attackers installed AnyDesk, so it works in safe mode, tried to disable components of security solutions that run in safe mode, and then ran the ransomware in safe mode. This creates a scenario where the attackers have full remote control over every machine they have configured with AnyDesk, while the target organization probably does not have remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together. “
AvosLocker was first founded in June 2021, it is a new ransomware service. The Sophos Rapid Response team has seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific regions targeting Windows and Linux systems.
Researchers investigating ransomware found that attackers are using PDQ Deploy on specific machines to run and run the batch script called “love.bat”, “update.bat” or “lock.bat”. The script provides a series of consecutive commands that get the machines ready to release the ransomware and restart in safe mode.
Peter Mackenzie said: “The techniques used by AvosLocker are simple but very smart. They ensure that ransomware has the best chance of running in safe mode and allow attackers to retain remote access to machines throughout the attack. “
The script takes about five seconds to run and disables Windows Update Services and Windows Defender. Then, it disables the components of the security software solutions that run in Safe Mode.
Install AnyDesk legal tool and configure it to run in safe mode while connected to the network. The attackers make sure to continue running the command and control it, and then they set up a new account with automatic login details and connect to the target’s domain controllers to remotely access and run the ransomware called update.exe.