New Ransomware Named AvosLocker Uses Multiple Tricks In Attacks

There’s a new strain of ransomware to be concerned about in the form of AvosLocker.

This is from security firm Sophos who warns that the new strain of human-operated ransomware is one to watch.

AvosLocker burst onto the scene over the summer of this year (2021). Having enjoyed some success with their product the gang behind the code is now on the hunt for partners in a bid to fill the gap left by REvil’s departure.

One of the key features of the malware’s design is the fact that it leverages the AnyDesk remote IT admin tool while running it in Windows Safe mode. We’ve seen malware that leverages Windows Safe Mode. Safe Mode loads with a minimal set of drivers and it is less well-protected but it isn’t exactly a common tactic.

AnyDesk is of course a perfectly legitimate tool used by thousands of professionals all over the world every day.  Here however it is being put to nefarious use and by combining it with running in Safe Mode and it allows the hackers to deal serious damage to their targets.

Peter Mackenzie is the Director of Incident Response at Sophos. Mackenzie says the group behind this new strain relies on simple but very clever tactics and methodologies to get the job done. So far, they’ve been amazingly successful.

The company had this to say about the new strain:

“Ransomware, especially when it has been hand-delivered (as has been the case in these Avos Locker instances), is a tricky problem to solve because one needs to deal not only with the ransomware itself, but with any mechanisms the threat actors have set up as a back door into the targeted network. No alert should be treated as “low priority” in these circumstances, no matter how benign it might seem.”

Wise words indeed.  Stay alert out there.