Ransomware attacks using the AvosLocker family have spiked over the past few weeks, researchers warned in a new analysis, with the ransomware-as-a-service (RaaS) starting to make a “significant effort” to disable endpoint security products on targeted systems.
Before executing the ransomware, attackers reboot infected machines in Windows Safe Mode, which is a special diagnostic configuration that disables third-party drivers and software and enables users to run diagnostic tests on the operating system.
“The reason for this is that many, if not most, endpoint security products do not run in Safe Mode,” according to Andrew Brandt with Sophos on Wednesday. “Working in Safe Mode makes the job of protecting computers all the more difficult, because Microsoft does not permit endpoint security tools to run in Safe Mode.”
Previously, ransomware families like Snatch, REvil and BlackMatter have utilized this tactic of rebooting in Safe Mode before execution. AvosLocker goes a step further by modifying the Safe Mode configuration so that attackers can also install and utilize the IT management tool AnyDesk even when Safe Mode is running. The deployment of AnyDesk means that even if the ransomware doesn’t run for some reason, attackers can still use the tool to remotely access the targeted machine and try again manually. Researchers warned that because the attackers set up access to their organization’s network using AnyDesk, they have the ability to lock out the defenders or run additional attacks at any time.
“The key message for IT security teams facing such an attack is that even if the ransomware fails to run, until every trace of the attackers’ AnyDesk deployment is gone from every impacted machine, the targets will remain vulnerable to repeated attempts,” said Brandt.
AvosLocker was first spotted in late June by researchers with Malwarebytes, which called it “a solid, yet not too fancy new ransomware family.” The ransomware authors started recruiting affiliates with remote access to hacked infrastructure through various underground forums, announcing they were looking for “pentesters with Active Directory network experience” and “access brokers,” said researchers. Part of the AvosLocker service offers affiliates help in managing communication with victims and hosting the data stolen during operations; the attackers also set up a leak website to showcase their recent ransomware attacks.
Brandt said that he has observed the ransomware targeting geographically and industrially diverse victims - including a retail business in Asia, an educational institution in the Middle East and an IT firm in North America.
“We don’t have information about the root cause... but in two cases, we found ProxyShell indicators that led us to believe that was the initial vector the attackers used,” said Brandt.
Shifting RaaS Landscape
In more recent attacks from AvosLocker in November and December, Sophos researchers have observed the use of several tools, including a TCP/UDP tunnel called Chisel, which allows attackers to create a secure back channel by setting up a tunnel over HTTP and encrypting data via SSH. Brandt said a ransomware component was also observed targeting VMware ESXi hypervisor servers by killing virtual machines and encrypting the virtual machine files - though it’s not clear how the attackers obtained the credentials needed to access the servers. Finally, attackers leveraged PDQ Deploy, a commercial IT management tool, in order to push out Windows batch scripts to targeted machines. The batch scripts, sent before the machines were rebooted into Safe Mode, lay the groundwork for the attackers to deploy the ransomware.
“These orchestration scripts modified or deleted Registry keys that effectively sabotaged the services or processes belonging to specific endpoint security tools, including the built-in Windows Defender and third party software from companies such as Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance,” said Brandt.
With AvosLocker attacks spiking - as well as those involving several other RaaS families - researchers are pointing to a rapidly shifting RaaS ecosystem. Recent Intel 471 research observed 612 ransomware attacks between July to September from 35 different ransomware variants. Notably, these attacks showed that several-lesser known variants - such as Lockbit 2.0, Hive, Pysa and AvosLocker - have replaced more prominent families that were dominant in the beginning of the year, including Clop and REvil.
“While law enforcement around the world has gotten more aggressive in their efforts to arrest those behind attacks, developers are still easily shutting down popular variants, laying low, and coming back with finely-tuned malware used by themselves as well as affiliates,” said Intel 471 researchers.