Security vendor Sophos says the attackers behind the AvosLocker ransomware are using the combination of Windows Safe Mode and the AnyDesk remote administration tool to bypass security controls and plant their malware.

AvosLocker is a fairly recent ransomware-as-a service that has already been used to attack Windows and Linux systems in the Americas, Middle East and Asia-Pacific, according to Sophos.

AnyDesk is a remote desktop application for Windows, macOS, Linux, iOS and Android.

"Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they've set up with AnyDesk, while the target organisation is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together," said Sophos director of incident response Peter Mackenzie.

"The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean every trace of the attackers' AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organisation's network and can lock them out again at any time."

On Windows, AvosLocker is deployed via a batch file that disables Windows update services and Windows Defender, attempts to disable the components of commercial security software solutions that can run in Safe Mode, installs AnyDesk and sets it to run in Safe Mode, sets up a new account with auto login details, and then connects to a domain controller to remotely access and run the ransomware itself.

"The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack," said Mackenzie.

"Sophos has reported on Snatch and BlackMatter implementing the technique, however, neither of these ransomware groups attempted to install a subsequent application, such as AnyDesk, for command and control of the machines while in Safe Mode. We believe we're seeing this for the first time."

Understandably, Sophos points out that its endpoint products – including Intercept X – protect users by detecting the actions and behaviours of ransomware and other attacks, such as those described in this Sophos research.

More details of Sophos's analysis are available here.

INTRODUCING ITWIRE TV iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages. We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message. In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business. We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails. See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers. SEE WHAT'S ON ITWIRE TV NOW!

SEE WHAT'S ON ITWIRE TV NOW!

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.