Ransomware uses popular remote management program to infect machines

And 2022 starts with details about new cyber threats. According to a report by security firm Sophos, criminals are using Windows Safe Mode in conjunction with the AnyDesk remote administration tool to break into and compromise company and user machines.

This joint and malicious action opens the way for infection with AvosLocker, a ransomware-as-a-service (a term given to virtual hijackings where controllers only rent the structure rather than creating it from scratch) relatively new, first appearing in late June 2021, and has since been increasingly used in digital scams. The threat, according to Sophos, has already been detected in the Americas, Middle East and Asia-Pacific, and is focused on Windows and Linux systems.

The company’s researchers claim that the attack begins when victims run a modified AnyDesk installer on their computers, which requires the installation to be performed in Windows Safe Mode.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Every day a summary of the main news from the tech world for you!

With the software having been installed in safe mode, scripts malicious ones disable threat prevention options present in the Windows system, finishing the process infecting the machine with AvosLocker.

Criminals use modified AnyDesk installer to infect machines. (Image: Reproduction/Sophos_

“This method of attack creates a scenario in which attackers have full remote control over all the machines they’ve configured with AnyDesk, while the target organization is likely blocked from remote access to those computers. The team had not seen these components used for ransomware and certainly never together,” explains Peter Mackenzie, Director of Incident Response at Sophos.

Processes disabled on deployment

The command that leaves the threat with persistence on the affected machines. (Image: Reproduction/Sophos)

The Sophos researchers responsible for investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to execute a script in batch called love.bat, update.bat or lock.bat on the target machines. The script issues and implements a series of commands that prepare the devices for launching the ransomware and then restart itself in safe mode.

The command sequence takes approximately five seconds to execute and includes the following:

  • Disabling Windows Update Services and Windows Defender;
  • Attempt to disable components of commercial security software solutions that can run in safe mode;
  • Installing the legitimate AnyDesk remote administration tool and configuring to run in safe mode while connected to the network, which ensures continuous command and control by the attacker;
  • Setting up a new account with auto login details and then connecting to the target domain controller for remote access and running the ransomware called update.exe.

Finally, even if the ransomware fails to encrypt the machine’s files, all the scripts installed during threat deployment cause the threat to become persistent, with criminals responsible for controlling it may try again to lock the system after a reboot, for example.

“The message to IT security teams facing this type of attack is that even if the ransomware fails to run, until they clean up all traces of the attackers’ AnyDesk deployment on each affected machine, they will remain exposed as attackers have access to the organization’s network and can block it again at any time,” adds Mackenzie.

For protection against AvosLocker, the same tips used for most ransomware attacks apply:

  • Take an offline backup of your data;
  • Avoid clicking suspicious links and downloading files from unknown sources;
  • Update the operating system and software whenever possible;
  • Use strong passwords;
  • Make use of multi-factor authentication.

About Raju Singh

Raju has an exquisite taste. For him, video games are more than entertainment and he likes to discuss forms and art.

Check Also

Silent Hill The Short Message is rated in Korea

Silent Hill The Short Message, a possible game in the franchise, was registered in Korea. …