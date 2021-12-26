In recent weeks, Sophos researchers have found that one emerging ransomware family dubbed AvosLocker he intensified his attacks using a technique already seen and used in the past by other groups ransomware such as Snatch, REvil And BlackMatter.

Attackers, in order to be able to run their own ransomware, use a particular technique that allows them to restart compromised computers in safe mode: this is because most endpoint security products do not run in the well-known Windows diagnostic configuration. where most third party drivers and software are disabled.

The tools used by AvosLocker operators

The variant set up by the criminal group AvosLocker uses several other complementary tools for the success of the attacks. According to the reconstruction made by the researchers, the malicious actors would have used:

AnyDesk , the popular legitimate PC remote control tool, installing it thanks to a prior modification of the safe mode configuration of the compromised Windows system and providing for its use for a manual ransomware start if the final autorun process fails;

, the popular legitimate PC remote control tool, installing it thanks to a prior modification of the safe mode configuration of the compromised Windows system and providing for its use for a manual ransomware start if the final autorun process fails; the tool Chisel available on GitHub to create an SSH encrypted HTTP tunnel for use as a feedback channel;

available on to create an SSH encrypted HTTP tunnel for use as a feedback channel; the commercial IT management tool PDQ Deploy to send the Windows batch scripts to the target machines.

The batch scripts used by AvosLocker

The purpose of the batch scripts is to govern the stages of the attacks by setting the stage for the final stage where the threat actors distribute the Avos Locker ransomware.

The infection process involves the creation of a “RunOnce” key in the registry that executes the payload of the ransomware in unfiless mode, taking it from a location on the domain controller without affecting the filesystem of the infected computer (behavior already followed by other ransomware among which IcedID).

All batch files are executed before the system is rebooted in safe mode to also modify or delete the registry keys set by the main endpoint security tools to ensure their persistence (Windows Defender, Kaspersky products, Carbon Black, Trend Micro , Symantec, Bitdefender and Cylance).

The attackers also used one of these batch scripts to create a “newadmin” account with administrative privileges on the infected machine by assigning it the password “password123456”.

The double extortion note

The ransom note message “GET_YOUR_FILES_BACK.txt”States that the victims’ data has been encrypted and sensitive documents exfiltrated.

Victims are informed that they will have to pay to receive the decryption keys and related software. For more information, the note indicates to visit the website linked and accessible only through the Tor browser using the ID assigned at the bottom of the message.

The message also warns that if the contact does not pay, the data leak will be disclosed online with a press release on their blog and the ransom will increase.

Quite a puzzle for IT security teams

Unfortunately, an attack conducted using the AvosLocker ransomware is a difficult problem to address because its security solution has to deal not only with the ransomware itself, but also with all the mechanisms set by the attackers as the gateway to the targeted network.

“The key message for IT security teams facing such an attack is that also if the ransomware is not executed, until all traces of the attackers’ AnyDesk implementation have disappeared from every affected machine, the targets will remain vulnerable to repeated attempts, ”he said. commented the Sophos researcher Andrew Brandt.

“In these cases, where AvosLocker attackers configure their organization’s network access using AnyDesk,” he continues, “attackers can block defenders or perform additional attacks at any time as long as the attackers’ remote access tools remain installed. and functioning “.

The best solution to mitigate the threat of AvosLocker ransomware consists in adopting security measures capable of carrying out behavioral analyzes on the use of the Run and RunOnce registry keys, in order to preventively block anomalous activities such as, precisely, restarting the system in safe mode or run a file immediately after system reboot. The only problem in this case could be that of false positives, as many legitimate software uses these registry keys for normal operations.

