'Avos Locker' ransomware has simple but very clever tricks to evade PC defenses

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,303
AvosLocker, a relatively newcomer to the ransomware service scene, is ramping up attacks while using some new techniques to try and evade security software.
One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.
While AvosLocker merely repackages techniques from other gangs, Peter Mackenzie, director of incident response at Sophos, described their use as "simple, but very clever". Mackenzie says that while Avos copied the Safe Mode technique, installing AnyDesk for command and control of machines while in Safe Mode is a first. The AvosLocker attackers reboot the machines into Safe Mode for the final stages of the attack, but also modify the Safe Mode boot configuration to allow AnyDesk to be installed and run.
 
Last edited:

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,543
In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode.

This tactic makes it easier to encrypt victims' files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.

And their new approach appears to be quite effective since the number of attacks attributed to the particular group is rising.
 

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,803
This malware is the final phase of lateral movement in Enterprises. The attacker has got admin rights and the computer is already badly compromised. For example, before the AvosLocker delivery, Sophos observed that another commercial IT management tool (PDQ Deploy) was used to deploy several scripts. These scripts can modify or delete Registry keys that belong to specific endpoint security tools, including Windows Defender and products from Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance.

The trick to boot into Safe Mode is also related to Enterprises because the Enterprise computers are usually not configured for remote management in Safe Mode. In this way, the Administrators cannot fight the malware remotely but must have physical access to the infected machines.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,771
that executes the ransomware payload, filelessly, from where the attackers have placed it on the Domain Controller
Hopefully not a Global Domain Controller account or one with the exact same granted permission as then it's for sure:

gameover.gif


The final step in the batch script is to set the machine to reboot in Safe Mode With Networking, and to disable any warning messages or ignore failures on startup. Then the script executes a command to reboot the box, and the infection is off to the races. If for whatever reason the ransomware doesn’t run, the attacker can use AnyDesk to remotely access the machine in question and try again manually.