Security News > 2021 > December > AvosLocker ransomware reboots in Safe Mode to bypass security tools
In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode.
This tactic makes it easier to encrypt victims' files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.
Finally, the scripts execute a reboot command which puts the machine into Safe Mode.
This same Safe Mode execution method was previously used by other ransomware groups, including REvil, BlackMatter, and Snatch, so this is clearly a security gap that needs to be addressed.
The whole idea behind putting the machine in Safe Mode is to disable any running security tools since most endpoint protection solutions don't run in that mode.
To avoid arbitrary reboot commands from manifesting on your machines, ensure that your security tools can detect and prevent the addition of suspicious Registry keys.