Ransomware uses AnyDesk to launch attacks

Issue 8 2021 News & Events

Sophos has released new research about AvosLocker ransomware in the article, AvosLocker remotely accesses boxes, even running in safe mode.

Sophos research explains how attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool. Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.

AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.

“Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organisation is likely locked out of remote access to those computers.

Sophos has never seen some of these components used with ransomware and certainly not together,” said Peter Mackenzie, director of incident response at Sophos. “The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean every trace of the attackers’ AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organisation’s network and can lock them out again at any time.”

The ransomware deployment process

Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called ‘love.bat’, ‘update.bat’ or ‘lock.bat’ on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.

The command sequence takes approximately five seconds to execute and includes the following:

• Disabling Windows update services and Windows Defender.

• Attempting to disable the components of commercial security software solutions that can run in Safe Mode.

• Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker.

• Setting up a new account with auto login details and then connecting to the target’s domain controller to remotely access and run the ransomware executable, called update.exe.

“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Mackenzie. “Sophos has reported on Snatch and BlackMatter implementing the technique, however, neither of these ransomware groups attempted to install a subsequent application, such as AnyDesk, for command and control of the machines while in Safe Mode. We believe we’re seeing this for the first time.”




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

IZI Group acquires G4S Cash Solutions South Africa
News & Events
IZI Africa, a sister company within the IZI Group, has acquired G4S Cash Solutions (SA) following the receipt of all necessary regulatory approvals. This transaction marks a significant consolidation in the South African cash handling industry.

Read more...
Secutel maintains ISO certifications
News & Events Fire & Safety
Secutel Technologies has successfully recertified all four of its ISO standards, a reflection of its continued commitment to excellence, client trust, and operational integrity.

Read more...
SABRIC appoints Andre Wentzel as interim CEO
News & Events Financial (Industry) Associations
The South African Banking Risk Information Centre (SABRIC) has announced the appointment of Andre Wentzel as interim chief executive officer, effective immediately.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Paxton cuts emissions by over a third
Paxton News & Events
Paxton has announced a significant reduction in its carbon footprint, cutting emissions by 961 tonnes of CO2e in its 2023 second reporting year.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Securex gears up for Cape Town
News & Events
Four industry expos debut in Cape Town from 21–23 October, providing access to Africa’s tech hub and a rapidly expanding local market, through a platform covering security, OSH, facilities management, and fire safety solutions in one venue.

Read more...
Firexpo 2025 ignites interest in fire safety
Fire & Safety News & Events
Firexpo 2025 showcased fire detection, suppression, and safety tech, drawing professionals eager to explore innovations, gain insights, and connect with suppliers.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.