Hackers attempted to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool, according to cybersecurity firm Sophos.
While AnyDesk allows continuous remote access, Windows Safe Mode is an IT support solution for resolving IT issues that disables most security and IT administration tools and features.
Peter Mackenzie, Director of incident response at Sophos, said in a statement, “Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organization is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together,”
According to Sophos, AvosLocker is a relatively new ransomware-as-a-service that first appeared in late June 2021 and is rising in popularity. Sophos Rapid Response has witnessed AvosLocker attacks targeting Windows and Linux systems in the Americas, the Middle East, and Asia-Pacific.
The main sequence starts with attackers using PDQ Deploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted machines, according to Sophos researchers investigating the ransomware deployment. The script issues and implements a series of consecutive commands that prepare the machines for the ransomware’s release and then reboots into Safe Mode.
The command sequence takes about five seconds to execute and includes disabling Windows update services and Windows Defender, as well as attempting to disable the components of commercial security software solutions that can run in Safe Mode.
Installing the legit remote administration tool AnyDesk and and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker and finally setting up a new account with auto login details and then connecting to the target’s domain controller to remotely access and run the ransomware executable, called update.exe
Mackenzie added “The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,”