Security firm Sophos warns that AvosLocker, a human-operated ransomware gang that emerged this summer, is on the hunt for partners – such as ‘access brokers’ who sell access to already-hacked machines – in the hope of filling the gap left by REvil’s withdrawal. One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target’s intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe. SEE: A winning strategy for cybersecurity (ZDNet special report) AnyDesk, a legitimate remote admin tool, has become a popular alternative among criminals to TeamViewer, which offered the same functionality. Running AnyDesk in Safe Mode while connected to the network allows the attacker to maintain control of infected machines. While AvosLocker merely repackages techniques from other gangs, Peter Mackenzie, director of incident response at Sophos, described their use as “simple, but very clever”. Mackenzie says that while Avos copied the Safe Mode technique, installing AnyDesk for command and control of machines while in Safe Mode is a first. The AvosLocker attackers reboot the machines into Safe Mode for the final stages of the attack, but also modify the Safe Mode boot configuration to allow AnyDesk to be installed and run. Sophos notes in a blogpost that legitimate owners might not be able to remotely manage a computer if it is configured to run AnyDesk in Safe Mode. An admin might need physical access to the infected computer to manage it, which could pose problems for a large network of Windows PCs and servers. Sophos has detected several more curious techniques used by AvosLocker. A Linux component, for example, targets VMware ESXi hypervisor servers by killing any virtual machines (VMs), then encrypting the VM files. Sophos is investigating how the attackers obtained the admin credentials needed to enable the ESX Shell or access the server. SEE: Hackers are turning to this simple technique to install their malware on PCs The attackers also used the IT management tool PDQ Deploy to push several Windows batch scripts to intended target machines, including Love.bat, update.bat, and lock.bat. As Sophos explains, in about five seconds, these scripts disable security products that can run in Safe Mode, disable Windows Defender, and allow the attacker’s AnyDesk tool to run in Safe Mode. They also set up a new account with automatic login details and then connects to the target’s domain controller to remotely access and run the ransomware executable, update.exe. Sophos warns: “Ransomware, especially when it has been hand-delivered (as has been the case in these Avos Locker instances), is a tricky problem to solve because one needs to deal not only with the ransomware itself, but with any mechanisms the threat actors have set up as a back door into the targeted network. No alert should be treated as “low priority” in these circumstances, no matter how benign it might seem.”