AvosLocker ransomware reboots in Safe Mode and installs tools for remote access

In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode to disable endpoint security solutions.

Sophos experts monitoring AvosLocker ransomware attacks, noticed that the malware is rebooting compromised systems into Windows Safe Mode to disable endpoint security solutions.

Running the systems into safe mode will allow the malware to encrypt victims’ files without any interference because endpoint security products do not run in Safe Mode. In the past, other ransomware used a similar trick, including Snatch, REvil, and BlackMatter ransomware families.

The AvosLocker ransomware-as-a-service recently emerged in the threat landscape and its attacks surged between November and December.

Sophos researchers reported that AvasLocker operators also modify the Safe Mode boot configuration to install and use the commercial IT management tool AnyDesk while the Windows computers were still running in Safe Mode.

Normally, third-party software would be disabled on a computer running in Safe Mode, but ransomware operators aim at maintaining access to the compromised systems.

“The Avos Locker attackers were not only rebooting the machines into Safe Mode for the final stages of the attack; They also modified the Safe Mode boot configuration so they could install and use the commercial IT management tool AnyDesk while the Windows computers were still running in Safe Mode.” reads the analysis published by Sophos.

In some attacks, operators also employed a tool called Chisel to create a tunnel over HTTP and use it as a secure back channel to the infected machine. And their new approach appears to be quite effective since the number of attacks attributed to the particular group is rising.

AvosLocker operators also used the commercial IT management tool PDQ Deploy to push out Windows batch scripts to target machines. The batch files are run before the system is rebooted into Safe Mode to modify or delete Registry keys set up by some endpoint security tools (Windows Defender and products from Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance), to maintain persistence.

The attackers also used the script to create a new user account on the compromised machine (newadmin) and give it a password (password123456), and add it to the Administrators user group. 

“They then set the machine to automatically log in when it reboots into Safe Mode. The attackers also disable certain registry keys used by some networks to display a “legal notice” upon login. Disabling these features reduces the chance that the automatic login will fail because a dialog box waiting for a human to click it is holding up the process.” continues the analysis.

The last operation executed by the scripts is to reboot the system, then once rebooted, the ransomware is run from a Domain Controller location.

If the automated ransomware execution process fails, the operators can launch it manually using the AnyDesk remote access tool.

“The penultimate step in the infection process is the creation of a “RunOnce” key in the Registry that executes the ransomware payload, filelessly, from where the attackers have placed it on the Domain Controller. This is a similar behavior to what we’ve seen IcedID and other ransomware do as a method of executing malware payloads without letting the files ever touch the filesystem of the infected computer.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]