This new ransomware has simple but very clever tricks to circumvent PC protection
AvosLocker, a newcomer to the ransomware service scene, is ramping up attacks while using some new techniques to try to bypass security software.
Security firm Sophos warns that AvosLocker, a ransomware gang run by people who came out this summer, is looking for partners - such as 'access brokers' who sell access to devices that have already been towed - in hopes of filling the gap left by REvil pullback.
One of the key features of AvosLocker is to use AnyDesk remote IT management tool and run it in Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to turn off a target 's intended security and IT tools. As Sophos points out, many endpoint security products do not run in Safe Mode - a unique diagnostic solution in which Windows disables most third - party drivers and software, and they can provide other protective devices dangerous.
SEE: Winning strategy for cybersecurity (ZDNet special report)
AnyDesk, a legitimate remote management tool, has become an alternative among criminals to TeamViewer, which offered the same kind of functionality. Running AnyDesk in Safe Mode while connected to the network allows the attacker to take control of infected devices.
While AvosLocker does not simply repack methods from other organizations, Peter Mackenzie, Sophos's incident response director, described the use as "simple, but very clever".
MacKenzie says that although Avos made a copy of Safe Mode, anyDesk installation is for command and control of devices while in Safe Mode.
The AvosLocker attackers reset the devices to Safe Mode for the final levels of the attack, but they also change the Safe Mode boot configuration to allow AnyDesk to install and run.
Sophos notes in a blog post that legitimate computer owners may not be able to control a computer remotely if it is designed to run AnyDesk in Safe Mode. Administering physical access on the infected computer may be necessary to manage it, which can cause problems for a large network of Windows PCs and servers.
Sophos has discovered a number of more bizarre ways with AvosLocker. A Linux component, for example, targets VMware ESXi hypervisor servers by killing any virtual machines (VMs), then rotating the VM files. Sophos investigates how the attackers obtained the administrative credentials needed to enable the ESX Shell or access the server.
SEE: Hackers are turning to this simple device to install their malware on PCs
The attackers also used the PDQ Deploy IT management tool to push several Windows batch scripts to potential target devices, including Love.bat, update.bat, and lock.bat. As Sophos explains, in about five seconds, these scripts disable security outputs that can run in Safe Mode, disable Windows Defender, and disable device AnyDesk the attacker run in Safe Mode. They also set up a new account with automated login details and then connect to the target domain administrator to remotely access and run the executable ransomware, update.exe.
Sophos warns: “Ransomware, especially when delivered manually (as in these Avos Locker scenarios), is a difficult problem to solve because one has to deal not only with the ransomware itself, but with any mechanisms threat actors are set up as a backdoor into the targeted network. No warning should be treated as "low priority" in these circumstances, no matter how unusual it may seem. "