After discovering that they had encrypted a US government agency, the AvosLocker ransomware operation offered a free decryptor. AvosLocker infiltrated a US police department last month, encrypting devices and stealing data during the attack.
Sophos researchers investigating AvosLocker ransomware deployment discovered that the main process begins with attackers utilising PDQ Deploy to run and execute a batch script on targeted workstations called "love.bat," "update.bat," or "lock.bat." The script issues and executes a series of commands that prepare the machines for the ransomware's release before rebooting into Safe Mode. Windows Safe Mode is an IT support solution for resolving IT issues in which most security and IT administration capabilities are disabled.
The command sequence takes about five seconds to execute and includes disabling Windows update services and Windows Defender, attempting to disable the components of commercial security software solutions that can run in Safe Mode, installing the legitimate remote administration tool AnyDesk and configuring it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker, setting up a new account with auto-login details, and then connecting to the target's domain controller in order to remotely access and run the ransomware executable, called update.exe.
“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Peter Mackenzie, director of incident response at Sophos.
According to a screenshot released by security researcher pancak3, when they learned the victim was a government entity, they offered a free decryptor. While providing a decryptor to the police department, the ransomware organization declined to offer a list of stolen files or details on how they gained access to the department's network. According to an AvosLocker operation member, they have no strategy on who they target but typically avoid encrypting government agencies and hospitals.
"You should note, however, that sometimes an affiliate will lock a network without having us review it first," the AvosLocker operator said.
Over the last year, international law enforcement activities have resulted in numerous indictments or arrests of ransomware members and money launderers. These arrests include members of the ransomware groups REvil, Egregor, Netwalker, and Clop. This increased pressure has been proved to have a positive effect, resulting in the shutdown of various ransomware operations, including DarkSide, BlackMatter, Avaddon, and REvil.