Ransomware remains the top cybersecurity concern for businesses around the world, with new strains and operators popping up routinely, including one detailed by cybersecurity firm Sophos that leverages Safe Mode on target computers to disable third-party drivers and endpoint protection products.
In a post and a series of tweets, the company introduces the IT community to an “up-and-coming” ransomware family that calls itself Avos Locker. This strain has appeared in a recent series of ransomware incidents in which attackers boot target computers in Safe Mode to disable endpoint protections.
According to the company, that’s not a new technique in deploying ransomware, as the now-defunct Snatch, REvil and BlackMatter ransomware families had done in the past.
However, these attackers also modify the Safe Mode boot configuration to install and use the commercial IT management toll AnyDesk while computers were running in Safe Mode. AnyDesk is a remote desktop application that the attackers used to remotely access targeted machines if the ransomware deployment was initially unsuccessful.
“Normally, third party software would be disabled on a computer that had been rebooted into Safe Mode, but these attackers clearly intended to continue to remotely access and control the targeted machines unimpeded,” the company says in a detailed writeup of the ransomware.
Sophos continues that attackers have also been observed using a tool called Chisel, which creates a tunnel over HTTP, with the data encrypted using SSH, that attackers can use as a secure back channel to the target machine.
In some instances, there were indications that attackers were able to move laterally, per Event Logs of some machines.
NEW: Avos Locker remotely accesses boxes, even running in Safe Mode
Infections involving this relatively new ransomware-as-a-service spiked in November and December…
— SophosLabs (@SophosLabs) December 22, 2021
The attackers made us of another IT management tool, PDQ Deploy, to push out Windows batch scripts to machines they planned to garget. The batch files are run before the computer is rebooted in Safe Mode.
Those batch scripts “orchestrate stages of the attacks” and enable the actual deployment of the Avos Locker ransomware. Sophos calls out one batch script, Love.bat, which was pushed to machines on the network by the PDQDeployRunner service.
According to Sophos, those scripts modified or deleted Registry keys that sabotaged services or processes of endpoint security tools, including the built-in Windows Defender and other third-party software.
“The script disables Windows Update and attempts to disable Sophos services, but the tamper protection feature prevents the batch script from succeeding,” the company says.
The batch script also creates a new administrator account on the infected machine and set the machine to automatically log in when it reboots in Safe Mode. Attackers also disable other registry keys used by some networks to display a legal notice upon login, reducing the chance that automatic login will fail because a dialog box waiting for a human to click it is holding up the boot.
Sophos says the “penultimate step” in the infection process is the creation of a “RunOnce” key in the Registry that executes the file-less ransomware payload from where attackers placed it on the Domain Controller.
Then, the final step is setting the machine to reboot in Safe Mode with Networking and to disable warning messages or ignore failures on startup.
“Then the script executes a command to reboot the box, and the infection is off to the races,” according to Sophos’ research. “If for whatever reason the ransomware doesn’t run, the attacker can use AnyDesk to remotely access the machine in question and try again manually.”
The key message for IT
For hand-delivered ransomware like Avos Locker, IT needs to be aware of the mechanisms attackers put in place to maintain persistence on the target network.
Sophos recommends not treating any alert as “low priority” and ensuring tools (such as AnyDesk) attackers put in place to establish a back door are completely eradicated from the IT environment.
With that kind of access, attackers can lock out defenders or run additional attacks as long as those tools remain in place, Sophos says.