Internet users in an increasingly digital world face many dangers. For this reason, in addition to being protected, we must be well informed. In this regard, users have to deal with viruses, Trojans, computer worms and other types of malware. Those that have undoubtedly acquired a major role in 2021 are Phishing and ransomware attacks. In this article we are going to talk about a new ransomware that with certain tricks, bypasses all the defenses of your computer, do you want to know how it does it?
This ransomware evades all defenses
A ransomware attack has its phases ending with lateral movement and finally impact. After the attack we will see how our files have been encrypted, we lose access to them and they will ask us to pay a ransom. Today’s protagonist is AvosLocker a new ransomware that with certain simple tricks is able to evade the security software you have installed on your computer.
Security firm Sophos has discovered that behind this ransomware is a gang that emerged this summer and is looking for partners. For example, they are already selling access to already hacked machines, so it can be a good reef for cybercriminals.
Remote access with Anydesk
One of the main characteristics of AvosLocker is that use AnyDesk remote IT administration tool and runs it in Windows safe mode. This option was used by the REvil, Snatch, and BlackMatter cybercriminal groups as a way to disable a target’s security and IT management tools.
According to Sophos, this approach is due to the fact that many end-machine security products do not run in Safe Mode. In case you don’t know, this mode is a special Windows diagnostic setting in which most third-party software and drivers are disabled. At that time they are in safe mode can make the protected machines unsafe.
On the other hand, AnyDesk is a legitimate remote administration tool. In recent times it has become a popular alternative to TeamViewer among cybercriminals as it offers the same functionality. Thus, by running AnyDesk in safe mode while connected to the network, you allow the cybercriminal to keep control of the infected machines. According to Peter Mackenzie, director of incident response at Sophos, although this ransomware uses techniques from other gangs, he described the use of this ransomware as simple, but very clever. He also added that although some techniques were copied, it was the first time that AnyDesk was installed for the command and control of the machines while in safe mode. AvosLocker attackers reboot machines in safe mode for the final stages of the attack. They then modify the safe mode boot settings to allow AnyDesk to install and run.
Lastly, legitimate owners may not be able to remotely manage that computer if it is configured to run AnyDesk in safe mode. This means that an administrator will need physical access to the infected computer to manage it. This can pose serious problems for a large network of Windows computers and servers.
Other techniques you use
Sophos has detected that AvosLocker has used some interesting techniques. One is that a Linux component targets the VMware ESXi hypervisor servers, removing any virtual machines, and then encrypts the virtual machine files. At this moment Sophos is trying to find out how the cybercriminals got the necessary administrator credentials to enable ESX Shell or access the server.
The attackers also used the IT administration tool PDQ Deploy, to send various Windows batch scripts to the target machines, including Love.bat, update.bat and lock.bat. As Sophos found out, in about five seconds:
- These scripts disable security products that can run in safe mode.
- Windows Defender is disabled.
- They allow the cybercriminal’s AnyDesk remote administration tool to run in safe mode.
- They set up a new account with automatic login details.
- They connect to the target’s domain controller to gain remote access and run the ransomware executable called update.exe.
Sophos warns that this ransomware is a difficult problem to solve. The reason is because not only do you have to deal with the ransomware itself, but you also have to deal with any backdoor that has established itself on the target network.
Finally, the dangers of paying a ransomware ransom should be pointed out as you have no guarantee of being able to recover your files or that you will be attacked again in a short time.