Hackers use AnyDesk in safe mode to launch attacks – Sophos
Avos Locker remotely accesses boxes, even running in Safe Mode
Infections involving this relatively new ransomware-as-a-service spiked in November and December
Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target
Guidance and detection
Working in Safe Mode makes the job of protecting computers all the more difficult, because Microsoft does not permit endpoint security tools to run in Safe Mode. That said, Sophos products behaviorally detect the use of various Run and RunOnce Registry keys to do things like reboot into Safe Mode or execute files after a reboot. We have been refining these detections to reduce false positives, as there are many completely legitimate tools and software which use these Registry keys for normal operations.
Ransomware, especially when it has been hand-delivered (as has been the case in these Avos Locker instances), is a tricky problem to solve because one needs to deal not only with the ransomware itself, but with any mechanisms the threat actors have set up as a back door into the targeted network. No alert should be treated as “low priority” in these circumstances, no matter how benign it might seem. The key message for IT security teams facing such an attack is that even if the ransomware fails to run, until every trace of the attackers’ AnyDesk deployment is gone from every impacted machine, the targets will remain vulnerable to repeated attempts. In these cases, where the Avos Locker attackers set up access to their organization’s network using AnyDesk, the attackers can lock out the defenders or run additional attacks at any time as long as the attackers’ remote access tools remain installed and functional.
Various activities by the threat actors were detected (and blocked) by the behavioral detection rules Exec_6a and Exec_15a. Intercept X telemetry showed that the CryptoGuard protection mechanism was invoked when the ransomware attackers tried to run their executable. Sophos products will also detect the presence of Chisel (PUA), PSExec (PUA), and PSKill (PUA), but may not automatically block these files, depending on the local policies set up by the Sophos admin.
