Security News > 2021 > December > AvosLocker ransomware reboots in Safe Mode to bypass security tools
In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode.
This tactic makes it easier to encrypt victims' files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.
Finally, the scripts execute a reboot command which puts the machine into Safe Mode.
This same Safe Mode execution method was previously used by other ransomware groups, including REvil, BlackMatter, and Snatch, so this is clearly a security gap that needs to be addressed.
The whole idea behind putting the machine in Safe Mode is to disable any running security tools since most endpoint protection solutions don't run in that mode.
To avoid arbitrary reboot commands from manifesting on your machines, ensure that your security tools can detect and prevent the addition of suspicious Registry keys.
News URL
Related news
- Ransomware gang encrypted network from a webcam to bypass EDR (source)
- Ransomware gang encrypted network from a webcam to bypass EDR (source)
- SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools (source)
- New SuperBlack ransomware exploits Fortinet auth bypass flaws (source)
- Broadcom warns of authentication bypass in VMware Windows Tools (source)
- New Security Flaws Found in VMware Tools and CrushFTP — High Risk, PoC Released (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Security shop pwns ransomware gang, passes insider info to authorities (source)
- GitHub expands security tools after 39 million secrets leaked in 2024 (source)
- YES3 Scanner: Open-source S3 security scanner for public access, ransomware protection (source)