- Aug 17, 2014
AvosLocker, a relatively newcomer to the ransomware service scene, is ramping up attacks while using some new techniques to try and evade security software.
One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.
While AvosLocker merely repackages techniques from other gangs, Peter Mackenzie, director of incident response at Sophos, described their use as "simple, but very clever". Mackenzie says that while Avos copied the Safe Mode technique, installing AnyDesk for command and control of machines while in Safe Mode is a first. The AvosLocker attackers reboot the machines into Safe Mode for the final stages of the attack, but also modify the Safe Mode boot configuration to allow AnyDesk to be installed and run.