Avos Locker

Date of Initial Activity

2021

Location

Unknown

Suspected Attribution 

Ransomware Group

Targeted Countries

United States

China

India

Taiwan

Spain

Botswana

Indonesia

United Kingdom

Canada

Motivation

Financial Gain
Extortion

Software

Windows
Linux

Overview

AvosLocker is a sophisticated and highly effective ransomware threat actor that emerged in mid-2021, gaining significant notoriety for its use of double extortion tactics. This ransomware-as-a-service (RaaS) group operates through a unique model in which affiliates execute attacks using the AvosLocker ransomware, which encrypts victim files and threatens to release stolen sensitive data unless a ransom is paid. What sets AvosLocker apart from many other ransomware groups is its consistent targeting of critical sectors such as education, manufacturing, and healthcare, which made it particularly disruptive to these industries. Their attacks are often tailored to each victim, utilizing specific techniques to breach systems, encrypt files, and exfiltrate data. This focus on both encryption and data leakage has become a hallmark of their operations, increasing the pressure on victims to pay the ransom. Initially, AvosLocker concentrated its efforts on Windows-based systems, but it quickly evolved, expanding to Linux environments and targeting VMware ESXi servers. This adaptability allowed the group to scale its operations and affect a broader range of victims. The group’s tactics, techniques, and procedures (TTPs) include exploiting well-known vulnerabilities such as ProxyShell in Microsoft Exchange servers, compromised RDP and VPN credentials, and flaws in third-party software like Zoho ManageEngine ServiceDesk Plus. These vulnerabilities were used to gain initial access to victims’ networks, which were then followed by ransomware deployment and the theft of sensitive data.

Common targets

• Individuals

• Eduactional Services

• Manufacturing

• Health Care and Social Assistance

• Retail Trade

• Transportation and Warehousing

• Information

• United States

• China

• India

• Taiwan

• Spain

• Botswana

• Indonesia

• United Kingdom

• Canada

Attack Vectors

Phishing

How they operate

Upon infiltration, AvosLocker uses a combination of processes to maximize the impact of its attacks. The ransomware is often deployed in Windows Safe Mode, allowing it to bypass running applications and security software, such as antivirus programs, which might otherwise interfere with encryption. The threat actor also takes advantage of specific command line arguments to customize the ransomware’s execution based on the targeted environment. This customization includes the use of mutexes to ensure that only one instance of the ransomware runs at a time, and the selective disabling of networking and other critical functionalities to avoid detection. AvosLocker then targets specific files and processes for termination, ensuring that its encryption process runs uninterrupted, and deletes any potential recovery mechanisms, such as shadow copies, to prevent victims from recovering their data. The encryption process itself is another critical component of AvosLocker’s technical operation. Once executed, the ransomware scans the infected system and enumerates all drives, including fixed, removable, and network shares. AvosLocker selectively encrypts files based on their extensions, while deliberately excluding certain file types and system files to avoid system instability or detection. Using a combination of AES encryption in CBC mode and RSA encryption to secure the AES key, AvosLocker encrypts the victim’s data while ensuring that the encryption process cannot be easily reversed. This hybrid approach provides an additional layer of security for the threat actor, as it makes the decryption process much more difficult without access to the private RSA key embedded within the ransomware’s binary. Finally, once the encryption is complete, AvosLocker drops a ransom note on the victim’s system, demanding payment in exchange for the decryption key. The ransomware group also runs a data leak site where they upload stolen proprietary data, further pressuring the victim to comply with the ransom demand to avoid public exposure of their sensitive information. These technical methods, combined with AvosLocker’s ability to adapt to different environments and continuously evolve its attack strategies, make it a highly effective and persistent threat actor in the cybersecurity landscape.  

References:

• #StopRansomware: AvosLocker Ransomware (Update)

• A Retrospective on AvosLocker

The post Avos Locker (Ransomware) – Threat Actor first appeared on CyberMaterial.