AvosLocker ransomware exploits AnyDesk and Safe Mode: Sophos

Security provider Sophos claims that attackers behind the AvosLocker ransomware are using the combination of Windows Safe Mode and the AnyDesk remote administration tool to bypass security checks and implant their malware.

AvosLocker is a fairly new ransomware-as-a-service that has previously been used to attack Windows and Linux systems in the Americas, Middle East and Asia-Pacific, according to Sophos.

AnyDesk is a remote desktop app for Windows, macOS, Linux, iOS, and Android.

Sophos discovered that AvosLocker attackers installed AnyDesk to run in safe mode, tried to disable components of security solutions that run in safe mode, and then executed the ransomware in safe mode This creates a scenario where the attackers have full remote control over every machine they have configured with AnyDesk, while the target organization is likely blocked for remote access to those machines. Sophos does not never seen some of these components used with ransomware, and certainly not together, ”said Sophos incident response director Peter Mackenzie.

“The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean all traces of the attackers’ AnyDesk deployment from each affected machine, they will remain exposed because attackers have access to their organization’s network and can lock them down again at any time. “

On Windows, AvosLocker is deployed through a batch file that turns off Windows Update Services and Windows Defender, attempts to disable components of commercial security software solutions that can run in safe mode, installs AnyDesk and configures it to that it runs in safe mode, sets up a new account with automatic login credentials, and then connects to a domain controller for remote access and run the ransomware itself.

“The techniques used by AvosLocker are simple, but very smart. They ensure that the ransomware has the best chance of functioning in safe mode and allows attackers to maintain remote access to machines throughout the attack, ”Mackenzie said.

“Sophos reported that Snatch and BlackMatter implemented the technique. However, none of these ransomware groups have attempted to install a later application, such as AnyDesk, for the command and control of machines in Safe Mode. We think this for the first time. “

Naturally, Sophos emphasizes that its endpoint products, including Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks, such as those described in this Sophos research.

More details on Sophos analysis can be found here.


It’s all about webinars.

Marketing budgets are now focused on webinars combined with lead generation.

If you want to promote a webinar, we recommend at least one campaign 3-4 weeks before your event.

The iTWire campaign will include extensive advertisements on our news site itwire.com and significant promotion in the https://itwire.com/itwire-update.html newsletter and promotional and editorial news. Plus a video interview of the keynote speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in promotional messages on the iTWire homepage.

Now that we are coming out of Lockdown, iTWire will focus on helping your webinars and campaigns and supporting through partial payments and extended durations, a Webinar Business Booster pack and other support programs. We can also create your advertisements and written content and coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click on the button below.



iTWire TV offers unique value to the technology industry by providing a range of video interviews, news, views and reviews, and also offers vendors the ability to promote your business and marketing messages.

We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other Tech YouTube channels, we create a story around your post and post it on the ITWire homepage, linked to your post.

Additionally, your maintenance post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.

We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.

Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.


Previous Rising speaker Zeke Kemp makes his voice heard across the country
Next Asian factory workers on the brink of Western supply chain crisis | Global development