Ransomware disables AV using Safe Mode: Avos Locker

TL;DR
Ransomware is now using safe mode to bypass security mechanisms, posing a significant threat to corporations and highlighting the need for improved vendor solutions.
Transcript
hi this is leo from the pc security channel now we all know about the menace of ransomware but you might say hey i've got a good endpoint security product that is going to protect me well here is a ransomware that actually bypasses all of your security mechanisms by using ironically safe mode for windows and unfortunately a lot of security products... Read More
Key Insights
- 🦺 Ransomware is becoming increasingly sophisticated, using safe mode to bypass security products and disable endpoint protections.
- 🥺 The encryption process of ransomware can lead to file corruption if the system is shut down during the attack.
- 👥 Avos Locker, REvil, and Black Matter are among the ransomware groups utilizing safe mode to evade security measures.
- 👊 Attackers can initiate an attack with a single command that reboots the system, downloading the ransomware from a remote server.
- 🎮 Controlled folder mechanisms may also be bypassed by ransomware operating in safe mode.
- 👊 Ransomware attacks targeting corporations highlight the need for robust security measures and vendor solutions that can operate effectively in safe mode.
- 🦻 Intezer's analysis platform provides valuable insights into the behavior and identification of malware threats, aiding in proactive protection measures.
Install to Summarize YouTube Videos and Get Transcripts
Explore YouTube Video Summarizer or Get YouTube Transcript Extractor
Questions & Answers
Q: How does ransomware bypass security mechanisms in safe mode?
Ransomware can run in safe mode because many security products do not operate in this mode, allowing the malware to execute without interference. This highlights the need for improved security solutions that can protect against threats even in safe mode.
Q: What are the potential consequences of this ransomware attack?
If victims shut down their computers during the encryption process, their files may become corrupted. While this is better than having all files encrypted, some data may still be lost or inaccessible.
Q: Are there other ransomware groups using safe mode to bypass security?
Yes, other ransomware groups, such as Avos Locker, REvil, and Black Matter, have also adopted this technique to evade endpoint security. IT administrators should be vigilant for new user accounts appearing without explanation, as this may indicate a ransomware attack.
Q: Can ransomware be installed on a system without executing the malware sample?
Yes, attackers can embed a command that reboots the system with a non-working command to download the malware sample from a command and control server. Therefore, simply avoiding executing the ransomware sample is not enough to prevent an attack.
Summary & Key Takeaways
-
Ransomware can now bypass security measures by operating in Windows safe mode, rendering many security products ineffective.
-
This ransomware variant encrypts files using AES 256 and instructs victims to pay the ransom on the dark web using the Tor browser.
-
Hackers are increasingly using this technique to disable protections before launching their ransomware attacks, targeting both individuals and corporations.
Read in Other Languages (beta)
Share This Summary 📚
Summarize YouTube Videos and Get Video Transcripts with 1-Click
Try YouTube Summary with ChatGPT & Claude or YouTube Transcript Generator
Explore More Summaries from The PC Security Channel 📚






Summarize YouTube Videos and Get Video Transcripts with 1-Click
Try YouTube Summary with ChatGPT & Claude or YouTube Transcript Generator