Sophos, a next-generation cybersecurity firm, has released new research about the AvosLocker ransomware in an article titled “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode.” Sophos’ research explains how attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool. Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.
AvosLocker is a new ransomware-as-a service threat that appeared in late June 2021 and is becoming more popular, according to Sophos. The Sophos Rapid Response team has witnessed AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.
“Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organisation is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together,” said Peter Mackenzie, director of incident response at Sophos.