AvosLocker Ransomware Uses AnyDesk in Safe Mode to Launch Attacks, Sophos Reports

0
35

OXFORD, United Kingdom, Dec. 22, 2021 (GLOBE NEWSWIRE) — Sophos, a global leader in next-generation cybersecurity, today released new research about AvosLocker ransomware in the article, “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode.” Sophos’ research explains how attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool. Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.

AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.

“Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organization is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together,” said Peter Mackenzie, director of incident response at Sophos. “The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean every trace of the attackers’ AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organization’s network and can lock them out again at any time.”

The Ransomware Deployment Process

Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.

The command sequence takes approximately five seconds to execute and includes the following:

  • Disabling Windows update services and Windows Defender
  • Attempting to disable the components of commercial security software solutions that can run in Safe Mode
  • Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker
  • Setting up a new account with auto login details and then connecting to the target’s domain controller to remotely access and run the ransomware executable, called update.exe

“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Mackenzie. “Sophos has reported on Snatch and BlackMatter implementing the technique, however, neither of these ransomware groups attempted to install a subsequent application, such as AnyDesk, for command and control of the machines while in Safe Mode. We believe we’re seeing this for the first time.”

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research.

For further information read the article on SophosLabs Uncut.

Additional Resources

  • Further details on the evolving cyberthreat landscape can be found in the Sophos 2022 Threat Report
  • Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLabs Uncut, which provides Sophos’ latest threat intelligence
  • Information on attacker behaviors, incident reports and advice for security operations professionals is available on Sophos News SecOps
  • Learn more about Sophos’ Rapid Response Service that contains, neutralizes and investigates attacks 24/7
  • The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
  • Read the latest security news and views on Sophos’ award-winning news website Naked Security and on Sophos News

About Sophos
Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos delivers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyberattacks. Sophos provides a single integrated cloud-based management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that features a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity vendors. Sophos sells its products and services through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.