We use cookies to improve your experience. Do you accept?

Skip to main content

Beneath the Surface: AvosLocker's Ransomware-as-a-Service and Cybercrime Tactics

Beneath the Surface: AvosLocker's Ransomware-as-a-Service and Cybercrime Tactics - Featured Image

Research and Analysis Oct 25, 2023

Origin: June 2021

Aliases: None

Targeted Sectors: Manufacturing, Financial Services, Government, Automotive, Trucking, Healthcare, Hospitality, Education, Retail

Targeted Regions: The U.S., Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the U.K, Canada, China, Taiwan

Motive: Financial gain

Common Infection Vectors: Spam, Phishing, Zero-day and other vulnerabilities

Introduction

AvosLocker, a ransomware strain that emerged following the absence of REvil, was initially detected in late June of 2021 and its operators have subsequently introduced various iterations since then. Over the period, they seized the opportunity to expand their ranks, enlisting additional team members and Initial Access Brokers (IABs). AvosLocker affiliates practice double extortion tactics, and, operating as a Ransomware-as-a-Service (RaaS) model, AvosLocker selectively targets organizations capable of meeting the ransom demands.

AvosLocker mostly targets critical infrastructure across the U.S., with incidents also documented in countries like Canada, the U.K, and Spain. It has been able to gradually establish itself as a notable threat, while also prompting the FBI to issue a warning against its activities.

Tactics, Techniques, and Procedures

AvosLocker is a multi-threaded Windows executable written in C++. It began its voyage into the cybercrime world by targeting Windows systems and, roughly six months later, it introduced a Linux variant capable of targeting ESXi virtual machines. Around the same time, the ransomware evolved to run in Safe Mode, more so because endpoint security products do not run in that mode.

AvosLocker operates as a console application, displaying a log of actions performed on victim systems. The ransomware supports optional command line arguments to enable or disable certain features, providing flexibility to the attacker. Besides, it creates a mutex object as an infection marker to prevent the system from getting infected twice.

Tools used

AvosLocker affiliates use a number of legitimate software and open-source tools during their intrusions to conduct data exfiltration-based extortion.

  • For initial access, AvosLocker affiliates use remote system administration tools such as Splashtop Streamer, Tactical RMM, SoftPerfect Network Scanner, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent for backdoor access.

  • They use custom PowerShell scripts to enable privilege escalation and lateral movement, and also to disable installed antivirus solutions. They also used custom .bat scripts in some scenarios.

  • Also, the affiliates have used legitimate Windows tools, such as PsExec and Nltest in their execution.

  • Custom webshells are put to work to enable network access and maintain persistence.

  • Furthemore, criminals leverage open-source applications Lazagne and Mimikatz to pilfer credentials, and used FileZilla and Rclone for data exfiltration.

  • Experts have witnessed the use of open-source networking tunneling tools like Ligolo and Chisel in AvosLocker's operatoins.

  • Other publicly available tools that the affiliates have used are Notepad++, RDP Scanner, and 7-Zip.

Encryption process

Before encryption, the ransomware scans accessible drives and enumerates files in directories. It then encrypts these files and appends specific file extensions such as ".avos," ".avos2," or "AvosLinux" to the encrypted files.

The encryption process utilizes RSA AES-256 to encrypt files and the ChaCha20 algorithm to encrypt encryption-related information, with claims of being one of the fastest ransomware variants available. File inclusion for encryption is determined by the file extensions.

In every directory where files are encrypted, AvosLocker creates a ransom note named "GET_YOUR_FILES_BACK.txt." This note contains instructions for the victim on how to recover their files. In some cases, the text from the ransom note ("GET_YOUR_FILES_BACK.txt") is reproduced on the desktop wallpaper of infected servers.

Extortion

AvosLocker follows the double extortion model, compelling victims to pay for both a decryptor and the non-disclosure of stolen data. With the introduction of its RaaS service, AvosLocker established a Tor-based blog to name non-compliant victims and expose their stolen data. Hence, the operators have a public leak site separate from the ransom negotiation site. They list non-paying victims along with a sample of data allegedly stolen from victims' networks. Visitors to this site can view a sample of victim data and even purchase victim data.

In some cases, AvosLocker victims receive phone calls from representatives of the ransomware operators. These callers encourage victims to visit the Tor site to negotiate and may threaten to post stolen data online. Additionally, AvosLocker operators may threaten and execute DDoS attacks during negotiations to further pressurize the victims.

Abusing zero-days and other bugs

The intrusion methods are mostly dependent on the expertise of the AvosLocker affiliate responsible for infiltrating the network of a victim. Meanwhile, affiliates have leveraged known vulnerabilities in Microsoft Exchange, including CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207, ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065. The affiliates have also been observed abusing zero-day vulnerabilities to target victims, which is a common characteristic of advanced ransomware groups.

In June 2022, cybercriminals exploited Log4j (CVE-2021-44228), a zero-day critical vulnerability found in the Apache Log4j 2 Java-based logging library. The same month, it was spotted abusing the OGNL injection vulnerability (CVE-2022-26134) affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.

Some AvosLocker affiliates exploited a high-risk vulnerability related to Apache Log4j (CVE-2021-45046) as well.

Avoiding detection

The attackers have migrated their infrastructure to hosts running on legitimate public hosting services, making it challenging to detect and mitigate their operations. Additionally, the ransomware strain manipulates file uploads to evade security checks, potentially achieving remote code execution for complete system compromise. The ransomware also possesses mechanisms to evade sandbox detection and perform lateral movement.

Victimology

Multiple U.S. critical infrastructure organizations across industries—including government, financial services, and critical manufacturing—have been targeted by the AvosLocker RaaS operation. As per the leak site claims, its affiliates have targeted organizations in Syria, Saudi

Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the U.K, Canada, China, and Taiwan.

With respect to sectors, the criminals predominantly target industrial, commercial, and SMB entities, with a focus on industries such as automotive, trucking, banking sector, healthcare, hospitality, education, and retail.

By February 2022, there were over 60 different victims mentioned in AvosLocker’s leak site. Some publicly disclosed victims of AvosLocker are Pacific City Bank, GIGABYTE Technology, Christus Health, Savannah College of Art and Design (SCAD), Bluefield University, and more.

Mitigation

Besides basic safety practices, some of the top recommendations coming from the FBI and the CISA are:

  • Secure remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs

  • Strictly limit the use of RDP and other remote desktop services.

  • Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis.

  • It's advised to configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations, making administrator privileges mandatory.

Other than that, it is recommended to maintain offline backups of an organization's critical data, while also having a backup recovery plan in place. This would help retain multiple copies of sensitive data and servers in physically separate locations.

Furthermore, security teams must leverage advanced threat intelligence platforms to automatically enrich, analyze, and operationalize threat intel around ransomware threats such as AvosLocker to proactively mitigate the threat.

With Cyware’s collaborate platform, security teams can also automatically share, receive, store, and manage threat detections including SIEM rules files, YARA Rules, Sigma Rules, log sources, Suricata, Snort Rules (and more), analytics files such as CAR, Automated playbooks, and MITRE ATT&CK data and lower their threat detection time.

Summary

To date, the AvosLocker ransomware group continues to expand its arsenal with more legitimate and malicious tools. Its affiliates use a variety of tools, including PowerShell and open-source software, to infiltrate and persist on networks and exfiltrate data. To safeguard systems, organizations and individuals must adhere to the joint Cybersecurity Advisory (CSA) issued by the FBI and the CISA, to be cognizant of known IOCs, TTPs, and detection methods associated with the AvosLocker.

Indicators of Compromise

MD5

829f2233a1cd77e9ec7de98596cd8165

6ebd7d7473f0ace3f52c483389cab93f

10ef090d2f4c8001faadb0a833d60089

8227af68552198a2d42de51cded2ce60

9d0b3796d1d174080cdfdbd4064bea3a

af31b5a572b3208f81dbf42f6c143f99

1892bd45671f17e9f7f63d3ed15e348e

cc68eaf36cb90c08308ad0ca3abc17c1

646dc0b7335cffb671ae3dfd1ebefe47

609a925fd253e82c80262bad31637f19

c6a667619fff6cf44f447868d8edd681

3222c60b10e5a7c3158fd1cb3f513640

90ce10d9aca909a8d2524bc265ef2fa4

44a3561fb9e877a2841de36a3698abc0

5cb3f10db11e1795c49ec6273c52b5f1

44a3561fb9e877a2841de36a3698abc0

122ea6581a36f14ab5ab65475370107e

c82d7be7afdc9f3a0e474f019fb7b0f7

e09183041930f37a38d0a776a63aa673

d3cafcd46dea26c39dec17ca132e5138

f659d1d15d2e0f3bd87379f8e88c6b42

afed45cd85a191fe3b2543e3ae6aa811

31f8eedc2d82f69ccc726e012416ce33

a39b4bea47c4d123f8195a3ffb638a1b

504bd1695de326bc533fde29b8a69319

eb45ff7ea2ccdcceb2e7e14f9cc01397

d285f1366d0d4fdae0b558db690497ea

cf0c2513b6e074267484d204a1653222

SHA1

2d1ce0231cf8ff967c36bbfc931f3807ddba765c

05c63ce49129f768d31c4bdb62ef5fb53eb41b54

6f110f251860a7f6757853181417e19c28841eb4

9c8f5c136590a08a3103ba3e988073cfd5779519

e8c26db068914df2083512ff8b24a2cc803ea498

dab33aaf01322e88f79ffddcbc95d1ad9ad97374

e60ef891027ac1dade9562f8b1de866186338da1

67f0c8d81aefcfc5943b31d695972194ac15e9f2

2f3273e5b6739b844fe33f7310476afb971956dd

f6f94e2f49cd64a9590963ef3852e135e2b8deba

SHA 256

e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd4 9ca0f

48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e 5e731

ad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d 63db7

cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460

0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6

10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4

e9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a e737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721

cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460

7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1

a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749

43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856

7731a9e1e5fff9d912b1d238dcd92c2ba671a5ea55441bb7f14b05ed40039ce1

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81

a58864dd006f0528f890c9e000e660f65ffe041ebd2bcb45903fb0228321cfb2

05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5

c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02

6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731 da6e60b4e39c6c556836a18a09a52cd83c47f9cf6dc9e3ad298cbcb925a62a96

373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386

fc55f8b61cb79f2b85b8bf35ff1b80f49fc61a860aca7729f35449df4928cd9b

0c50992b87ba354a256dfe4356ffa98c8bc5dd231dab0a4dc64413741edb739b 5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e

be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70

33203ecb5c34c45dacf64c42c3a24cd4aeb2ceb26b0c58ba97fc8f33319da91b

3b58516758466c8129c4899f07e1e50ca98d913f7c13665aa446c75325b7c5d8

Files and Tools

psscriptpolicytest_im2hdxqi.g0k .ps1

psscriptpolicytest_lysyd03n.o10 .ps1

psscriptpolicytest_1bokrh3l.2nw .ps1

psscriptpolicytest_nvuxllhd.fs4 .ps1

psscriptpolicytest_2by2p21u.4ej .ps1

psscriptpolicytest_te5sbsfv.new .ps1

psscriptpolicytest_v3etgbxw.bmm .ps1

psscriptpolicytest_fqa24ixq.dtc .ps1

psscriptpolicytest_jzjombgn.sol .ps1

psscriptpolicytest_rdm5qyy1.phg .ps1

psscriptpolicytest_endvm2zz.qlp .ps1

psscriptpolicytest_s1mgcgdk.25n .ps1

psscriptpolicytest_xnjvzu5o.fta .ps1

psscriptpolicytest_satzbifj.oli .ps1

psscriptpolicytest_grjck50v.nyg .ps1

psscriptpolicytest_0bybivfe.x1t .ps1

psscriptpolicytest_bzoicrns.kat .ps1

BEACON.PS1

Encoded PowerShell script

PowerShell backdoor

Email Address

keishagrey994@outlook[.]com

Virtual Currency Wallets

a6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845ee

bfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92

418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944dd

bc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfn

Threat Detection Content

YARA Rule

rule NetMonitor

{

meta:

author = "FBI"

source = "FBI"

sharing = "TLP:CLEAR"

status = "RELEASED"

description = "Yara rule to detect NetMonitor.exe"

category = "MALWARE"

creation_date = "2023-05-05"

strings:

$rc4key = {11 4b 8c dd 65 74 22 c3}

$op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00

00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48

89 [3] 48 89 ?? e8}

condition:

uint16(0) == 0x5A4D

and filesize < 50000

and any of them

}

MITRE ATT &CK Tactics and Techniques

Initial Access

Technique Title : External Remote Services

ID : T1133

Use : AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access

backdoor access vectors.

Execution

Technique Title : Command and Scripting Interpreter (PowerShell)

ID : T1059.001

Use : AvosLocker affiliates use custom PowerShell scripts to enable privilege escalation, lateral movement, and to disable antivirus.

Technique Title : Command and Scripting Interpreter (Windows Command Shell)

ID : T1059.003

Use : AvosLocker affiliates use custom .bat scripts to enable privilege escalation, lateral movement, and to disable antivirus.

Technique Title : Windows Management Instrumentation

ID : T1047

Use : AvosLocker affiliates use legitimate Windows tools, such as PsExec and Nltest in their execution.

Persistence

Technique Title : Server Software Component

ID : T1505.003

Use : AvosLocker affiliates have uploaded and used custom webshells to enable network access.

Credential Access

Technique Title: Credentials from Password Stores

ID : T1555

Use : AvosLocker affiliates use open-source applications Lazagne and Mimikatz to steal credentials from system stores.

Command and Control

Technique Title : Protocol Tunneling

ID : T1572

Use : AvosLocker affiliates use open source networking tunneling tools like Ligolo and Chisel.

Related Threat Briefings