Home SECURITY AvosLocker ransomware can run in Windows Safe Mode

AvosLocker ransomware can run in Windows Safe Mode

AvosLocker ransomware can run in Windows Safe Mode

Most security solutions are automatically disabled after booting Windows devices in Safe Mode.


AvosLocker ransomware has focused its recent attacks on disabling endpoint security solutions by restarting compromised Windows systems in safe mode.

This tactic makes it easier to encrypt victims’ files because most security solutions are automatically disabled after Windows devices are booted into Safe Mode.

According to report Researchers from SophosLabs, AvosLocker ransomware operators use a legitimate deployment tool to automate PDQ Deploy patch management. Using the tool, hackers deploy multiple Windows batch scripts on the device, preparing a foothold for an attack.

The scripts modify or delete registry keys belonging to specific endpoint security tools, including Windows Defender and products from Kaspersky Lab, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance. The scripts also create a new user account called newadmin on the compromised system, adding it to the Administrators user group.

Criminals then configure the account to automatically log on when rebooting into Safe Mode and online, and disable registry keys in the Legal Notice dialog box that could prevent automatic logons. The scripts execute the reboot command, which puts the computer into safe mode. When it is up and running again, the ransomware payload is launched from the location of the domain controller.

If the automatic payload execution process fails, the operator can take over manual control of the procedure using the AnyDesk remote access tool.

“The penultimate step in the infection process is the creation of the RunOnce key in the registry, which, without files, executes the ransomware payload,” the experts explained.

Source link



Please enter your comment!
Please enter your name here