The AvosLocker ransomware gang has begun to focus on eliminating endpoint protection solutions by rebooting infected devices into Windows Safe Mode in recent attacks. This method makes it easier to encrypt victims’ data because most security solutions are immediately deactivated once Windows devices launch in Safe Mode. And their new strategy appears to be working, as the number of cyberattacks attributed to the organization is increasing.
According to a report by SophosLabs Principal Researcher Andrew Brandt, AvosLocker operators use PDQ Deploy, a legal deployment application for managing patch management, to dump many Windows batch scripts onto the target system, which helps them build the groundwork for the attack.
These scripts alter or remove Registry entries associated with endpoint security applications, such as Windows Defender and Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance products. The programs also establish a new user account on the infected system and give it a name.
They then configure that account to log in automatically when the system boots into Safe Mode with Networking. They block any “legal notice” dialog registry keys that would prevent the automatic login from operating.
Finally, the scripts run a reboot command, entering Safe Mode on the system. Once it’s back up and running, the ransomware payload is launched from a Domain Controller. If the automatic payload execution process fails, the actor can use the AnyDesk remote access tool to take human control of the procedure.
Other ransomware organizations, including REvil (with auto-login), BlackMatter, and Snatch, have previously exploited the same Safe Mode execution mechanism, indicating that this is undoubtedly a security flaw that needs to be addressed. Because most endpoint protection solutions don’t work in Safe Mode, the whole goal of placing the system in that mode is to deactivate any running security software.
Due to this simple but efficient method, even the most well-protected PCs may be left helpless to ransomware execution chains. Ensure that your security tools can identify and prohibit the entry of suspicious Registry keys to prevent arbitrary reboot instructions from appearing on your workstations.
This feature may cause genuine Registry access to be disrupted, but it is well worth the extra effort for administrators. Since Sophos points out in its study, no alert should be considered “low priority,” as even the tiniest and insignificant detail might be a critical piece in a ransomware execution chain.
