A new addition to the ransomware gang has surfaced online targeting systems with a distinct technique Identified as ‘AvosLocker’, the ransomware exploits AnyDesk software to infect devices. Whereas it reboots target systems in Safe Mode to evade detection.
AvosLocker Ransomware Exploits AnyDesk
In a recent report, Sophos has elaborated on new ransomware running active campaigns in the wild.
The researchers identified it as ‘Avoslocker’ – a new ransomware family employing techniques to disable endpoint security.
The first of these strategies include rebooting target systems in Safe Mode to evade detection. That’s because most third-party software are disabled in Windows Safe Mode, which often includes antimalware solutions too.
But this isn’t an exclusive approach since the BlackMatter, Snatch, and Revil also did the same in the past.
However, what’s peculiar with AvosLocker is its exploitation of the remote access software ‘AnyDesk’. It’s a closed source software similar to the popular TeamViewer.
The attackers install AnyDesk on target systems in Safe Mode to establish remote connectivity. They then run all the files remotely to avoid writing any files on the target systems.
The researchers also spotted the installation of another tool ‘Chisel’ in some instances. Similarly, the attackers also used the IT management tool “PDQ Deploy” in some cases to “push out Windows Bash scripts” to target devices, which they then run before rebooting systems in Safe Mode.
Regarding the functionality of these scripts, the researchers explained,
These orchestration scripts modified or deleted Registry keys that effectively sabotaged the services or processes belonging to specific endpoint security tools… The script disables Windows Update and attempts to disable Sophos services, but the tamper protection feature prevents the batch script from succeeding.
Also, the attackers use these scripts to create new admin accounts on targeted devices to sign in to the Safe Mode.
The final stage of the attack includes ransomware execution. But if it fails for any reason, the attackers can use AnyDesk for another attempt.
The researchers urge IT admins to never treat such threats as “low priority” regardless of how “benign” they appear.