• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

This New Ransomware Strain Uses Safe Mode, Remote Desktop Tools

Sophos details new ransomware family that leverages Safe Mode and IT management tools to maintain persistence in victim networks.

December 22, 2021 Zachary Comeau Leave a Comment

New Ransomware Sophos
stock.adobe.com/kaptn

Ransomware remains the top cybersecurity concern for businesses around the world, with new strains and operators popping up routinely, including one detailed by cybersecurity firm Sophos that leverages Safe Mode on target computers to disable third-party drivers and endpoint protection products.

In a post and a series of tweets, the company introduces the IT community to an “up-and-coming” ransomware family that calls itself Avos Locker. This strain has appeared in a recent series of ransomware incidents in which attackers boot target computers in Safe Mode to disable endpoint protections.

According to the company, that’s not a new technique in deploying ransomware, as the now-defunct Snatch, REvil and BlackMatter ransomware families had done in the past.

However, these attackers also modify the Safe Mode boot configuration to install and use the commercial IT management toll AnyDesk while computers were running in Safe Mode. AnyDesk is a remote desktop application that the attackers used to remotely access targeted machines if the ransomware deployment was initially unsuccessful.

“Normally, third party software would be disabled on a computer that had been rebooted into Safe Mode, but these attackers clearly intended to continue to remotely access and control the targeted machines unimpeded,” the company says in a detailed writeup of the ransomware. 

Sophos continues that attackers have also been observed using a tool called Chisel, which creates a tunnel over HTTP, with the data encrypted using SSH, that attackers can use as a secure back channel to the target machine.

In some instances, there were indications that attackers were able to move laterally, per Event Logs of some machines.

NEW: Avos Locker remotely accesses boxes, even running in Safe Mode

Infections involving this relatively new ransomware-as-a-service spiked in November and December…

1/16 pic.twitter.com/MeqUfnTwpg

— SophosLabs (@SophosLabs) December 22, 2021

The attackers made us of another IT management tool, PDQ Deploy, to push out Windows batch scripts to machines they planned to garget. The batch files are run before the computer is rebooted in Safe Mode.

Those batch scripts “orchestrate stages of the attacks” and enable the actual deployment of the Avos Locker ransomware. Sophos calls out one batch script, Love.bat, which was pushed to machines on the network by the PDQDeployRunner service.

According to Sophos, those scripts modified or deleted Registry keys that sabotaged services or processes of endpoint security tools, including the built-in Windows Defender and other third-party software.

“The script disables Windows Update and attempts to disable Sophos services, but the tamper protection feature prevents the batch script from succeeding,” the company says.

The batch script also creates a new administrator account on the infected machine and set the machine to automatically log in when it reboots in Safe Mode. Attackers also disable other registry keys used by some networks to display a legal notice upon login, reducing the chance that automatic login will fail because a dialog box waiting for a human to click it is holding up the boot.

Sophos says the “penultimate step” in the infection process is the creation of a “RunOnce” key in the Registry that executes the file-less ransomware payload from where attackers placed it on the Domain Controller.

Then, the final step is setting the machine to reboot in Safe Mode with Networking and to disable warning messages or ignore failures on startup.

“Then the script executes a command to reboot the box, and the infection is off to the races,” according to Sophos’ research. “If for whatever reason the ransomware doesn’t run, the attacker can use AnyDesk to remotely access the machine in question and try again manually.”

The key message for IT

For hand-delivered ransomware like Avos Locker, IT needs to be aware of the mechanisms attackers put in place to maintain persistence on the target network.

Sophos recommends not treating any alert as “low priority” and ensuring tools (such as AnyDesk) attackers put in place to establish a back door are completely eradicated from the IT environment.

With that kind of access, attackers can lock out defenders or run additional attacks as long as those tools remain in place, Sophos says.

Tagged With: ransomware, Sophos

Related Content:

  • AVI-SPL logo AVI-SPL Awarded by Strategic Account Management Association
  • Thrive SOAR MSSP Thrive Upgrades SOC With SOAR Integration
  • Microsoft Intelligent Data Paltform Microsoft Announces Intelligent Data Platform For Database Integration
  • Why Data and Analytics Are Critical in the…

Free downloadable guide you may like:

  • The State of the IT Department in 2022

    The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to making business decisions. Check out our new report to see what your peers in IT think about top concerns and opportunities in 2022.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

Hybrid Work Challenges
The Three Most Common Hybrid Work Challenges Two Years Into the Pandemic

Many of us have been working in a hybrid environment for two years now. Our editors thought this would be a good time to take a look at what’s work...

These 10 IT Certifications Are Critical To An IT Pro’s Success in 2022

Here are 10 cloud, data and security certifications that we identify as critical to an IT professional’s resume in 2022 and beyond, according to a ...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2022 Emerald X, LLC. All rights reserved.