[MART] - Daily Diary #418 - AvosLocker Ransomware Abusing Windows Safe Mode

CTAS-MAT ctas-mat at appgate.com
Thu Dec 23 21:10:20 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

12/23/2021 - Diary entry #418:

AvosLocker is a Ransomware group that first appeared in July 2021. Once executed, it appends the ".avos" extension to the encrypted files and drops a ransom note named "GET_YOUR_FILES_BACK.txt" in every encrypted directory. Its authors advertised in various underground forums, such as Dread (a popular dark web forum), looking for new affiliates.

In recent attacks, AvosLocker is rebooting compromised systems into Windows Safe Mode to disable security solutions, allowing it to encrypt all files without being interfered with. This is not a new tactic, since it was already used by Snatch Ransomware last year, as we covered in our first Daily Diary.

As soon as AvosLocker operators gain initial access, they use a legitimate deployment tool, named PDQ Deploy, to execute several Windows batch scripts. These scripts modify and delete Registry keys that belong to specific endpoint security tools. They also create a new user account, adding it to the Administrators user group. Next, they configure that account to automatically log in when the system reboots into Safe Mode. Once it's rebooted, the ransomware payload is executed from a Domain Controller location.

Our team monitors AvosLocker's wall-of-shame, a dark web blog where they publish stolen data from victims that refused to pay the ransom. So far, there are 49 victims shown there since July 13, including Gigabyte Inc. and Pacific City Bank (covered in our Daily Diary #366). Using this new tactic, AvosLocker will certainly increase its number of victims.

Merry Christmas and Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211223/79d2c30e/attachment.htm>

More information about the MART mailing list