AvosLocker, a relatively new ransomware family, is increasing its attacks while adopting new tactics to evade security software. First observed in the month of July, the group is now using AnyDesk in Windows Safe Mode to target its victims. 

What's new?

Researchers from Sophos Labs reported the activities of the ransomware, which continues to look for partners such as access brokers.
  • In their recent campaigns, the ransomware actors are now booting the Windows systems into Safe Mode, because many endpoint security products do not work in this mode.
  • Moreover, running the AnyDesk software in the Safe Mode while connected to the network allows the attacker to maintain control over infected machines.
  • After infection, the AvosLocker operators reboot the targeted system into Safe Mode for the final stages, while modifying the Safe Mode boot settings to allow installation of the AnyDesk.
  • In such cases, an authentic user might not be able to manage a computer remotely and may require physical access to operate the system.

VMware ESXi targeted

  • The latest variant of AvosLocker has a Linux component that targets VMware ESXi hypervisor servers by terminating any virtual machines, and then encrypts the VM files.
  • Researchers are investigating how attackers get admin credentials that are required to enable ESX Shell or access the server.

Additional technical details

Experts detected several additional tactics used by AvosLocker.
  • The attackers used the PDQ Deploy tool to spread batch scripts for target machines, such as Love[.]bat, update[.]bat, and lock[.]bat.
  • In just five seconds, these scripts could disable security products that can run in Safe Mode, disable Windows Defender, and allow the attacker's AnyDesk tool to run in Safe Mode.
  • The scripts set up a new account with automatic login information and connect to the domain controller of the target to remotely access and launch the ransomware executable, update[.]exe.


AvosLocker is one of the human-controlled ransomware attack groups, which are usually very challenging to deal with for security teams. Analysts and admins are advised to stay alert against suspicious activities inside of their network and take proactive actions to counter potential threats.

Cyware Publisher