Under Attack? Contact Us Start a Free Demo

AVOSLOCKER Ransomware Explained

Summary

AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that targets victims across multiple critical infrastructure sectors in the United States, including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors. In addition to handling ransom negotiations directly, AvosLocker is also responsible for publishing and hosting exfiltrated victim data after affiliates have infected targets. Therefore, AvosLocker indicators of compromise (IOCs) differ according to the type of malware used in the intrusion and the specific affiliate responsible for it. Several countries are claimed to have been targeted by the AvosLocker leak site, including the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, Britain, Canada, China, and Taiwan. The leak site will sell stolen victim data to unspecified third parties when a victim does not pay the ransom.

According to research, AvosLocker was developed as a console-based application. Cybercriminals are continuously developing ransomware as a service (RaaS) services through the use of new tactics, techniques, and procedures (TTPs). An upcoming variant may enhance the AvosLocker Ransomware. The cybersecurity team is continuously monitoring AvosLocker extortion campaign.

How it works?

Every file named with AvosLocker includes the ".avos" extension. As an example, a photo named "my_photo.jpeg" will be converted into "my_photo.jpeg.avos", a report named "report.xlsx" will be converted into "report.xlsx.avos", and so on.

GET_YOUR_FILES_BACK.txt file, which can be found in every folder containing encrypted files, is a ransom note.

The ransomware executable creates a ransom note named "GET_YOUR_FILES_BACK.txt" in every directory upon execution. The note instructs the victim to visit the "hxxp:xxavos2fuj6olp6x36[.]onion" website for information about the ransom amount and payment method.

In addition to encrypting the user's documents, the ransomware appends the ".avos" extension to them once the ransom notes have been created.

A network share drive is also encrypted by the ransomware.

In the GET_YOUR_FILES_BACK.txt file in accordance with Avoslocker ransomware this frustrating information is presented:

Below is an example of how files with the ".avos" extension appear:

AvosLocker is a ransomware program whose executable code is written in C++. It runs as a console application that displays a log of the actions taken on the victim's computer. In some samples of the AvosLocker ransomware, victims were given the option of entering command line arguments through which certain features could be enabled or disabled by an attacker.

Research shows that ransomware exploits the DLLs listed below to evade detection. For the development of AvosLocker ransomware, the ransomware group utilized VC++ libraries instead of Win32 APIs.

  • api-ms-win-appmodel-runtime-l1-1-2
  • api-ms-win-core-file-l1-2-2
  • api-ms-win-core-localization-l1-2-1
  • api-ms-win-core-localization-obsolete-l1-2-0
  • api-ms-win-core-processthreads-l1-1-2
  • api-ms-win-core-string-l1-1-0
  • api-ms-win-core-sysinfo-l1-2-1
  • api-ms-win-core-winrt-l1-1-0
  • api-ms-win-core-xstate-l2-1-0
  • api-ms-win-security-systemfunctions-l1-1-0
  • Eapi-ms-win-core-datetime-l1-1-1
  • ext-ms-win-ntuser-dialogbox-l1-1-0
  • ext-ms-win-ntuser-windowstation-l1-1-0

Indicator of Compromise:

In order to maintain persistence on victim systems, the 'Run' keys in the Windows Registry are modified, and scheduled tasks are executed. AvosLocker ransomware uses the following tools:

  • Advanced IP Scanner
  • AnyDesk
  • Cobalt Strike
  • Encoded PowerShell scripts
  • PuTTY Secure Copy client tool “pscp.exe”
  • Rclone
  • Scanner
  • WinLister

Indicators

Indicator type

Description

43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856

Hash

SHA-256

ievah8eVki3Ho4oo

Mutex

Mutex Name

Impact

In today's world, there are two ways in which AvosLocker can be injected - through email spam or Trojans. You may receive numerous messages in your email account stating that you need to pay different bills or pick up your parcel from the local FedEx office. These messages, however, are all sent from unknown email addresses, not from familiar official email addresses of these companies. The attached file is used as a carrier of ransomware in all such letters. Your system will be infected with AvosLocker if you open this file.

When Trojans are present on your PC, you may be prompted to install ransomware under the guise of something legit, such as an update for Chrome or the software currently installed on your computer. A Trojan virus can sometimes be disguised as a legitimate program, and ransomware may appear as an important update or a large package of extensions essential to a program's operation.

Ransomware can also be injected using the third method, but this method is becoming less and less popular daily. Peering networks, such as torrents or eMule, are examples of peer networks. As no one can control which files are included in the seeding, you may discover a number of different types of malware after downloading. Please ensure you use an antivirus program to scan every downloaded folder or archive if circumstances force you to download something from peering networks.

Threat Summary:

Name

Avoslocker Virus

Extension

.avos

Ransomware note

GET_YOUR_FILES_BACK.txt

Detection

Ransom:MSIL/ApisCryptor.PAA!MTBTrojan-Banker.Win32.NeutrinoPOS.bnqMSIL/Filecoder.NR

Symptoms

Your files (photos, videos, documents) have a .avos extension and you can’t open it.

Mitigation

Some of the most critical cybersecurity best practices act as the first line of defense against attackers. The following suggestions are given for consideration:

  • As soon as updates/patches are released, install them on operating systems, software, and firmware.
  • Construct access controls with the least privilege in mind when auditing user accounts with administrative rights. Do not grant administrative privileges to all users.
  • Do not open untrusted links or email attachments without verifying their authenticity.
  • Emails received from outside your organization may benefit from an email banner.
  • Emails that contain hyperlinks should be disabled.
  • Ensure regular training of users on information security principles and techniques and the overall emerging risks and vulnerabilities related to cybersecurity (such as ransomware and phishing scams).
  • Ensure that you do not reuse the same password across multiple accounts.
  • Ensure your connected devices, including PCs, laptops, and mobile devices, are protected by reputed anti-virus and Internet security software packages.
  • Increase awareness and training regarding cyber security.
  • Installing the software requires administrator credentials.
  • It is recommended that you use multifactor authentication whenever possible.
  • Maintain multiple copies of sensitive or proprietary data in a physically separate, segmented, and secure location (e.g., on a hard drive, storage device, the cloud).
  • Make regular data backups, and password-protect your offline backup copies. The system where critical data is stored should not be accessible for modification or deletion.
  • Make sure that new or unrecognized user accounts are not present on domain controllers, servers, workstations, and active directories.
  • Make sure that unused ports are disabled.
  • Only connect to secure networks and avoid using public Wi-Fi networks. Install and use a virtual private network (VPN).
  • Passwords for network systems and accounts should be changed regularly, with the shortest possible timeframe being implemented for password changes.
  • Segment the network and maintain offline backups of data in order to ensure minimal disruption to the organization.

How to Defend Your Network from Ransomware Attacks?

Cyber security threats, ransomware attacks, and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
I am an experienced and CEH certified cybersecurity professional with expertise in incident response, forensic investigations, cyber threat intelligence, vulnerability mgmt. and cyber threat research.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.