AvosLocker Ransomware

Platform Expansion: Initially focusing on Windows environments, AvosLocker expanded its capabilities around October 2021 by developing and advertising a Linux variant specifically designed to target VMware ESXi servers. This move significantly increased its threat potential against virtualized enterprise environments.

Tactical Refinements: Early versions relied heavily on known initial access vectors. Over time, affiliates began incorporating more sophisticated techniques, including the exploitation of specific vulnerabilities (like those in Microsoft Exchange) and the abuse of legitimate remote administration tools.

Evasion Techniques: The introduction of techniques like booting victim systems into Safe Mode before encryption (a tactic also used by REvil) was observed in later versions. This method helps bypass security software that may not operate effectively in Safe Mode.

Infrastructure Development: AvosLocker operates a dedicated leak site on the Tor network where they name non-compliant victims and threaten to publish or auction stolen data, adding pressure to the double extortion scheme.

Exploiting Vulnerabilities: Affiliates actively scan for and exploit known vulnerabilities in public-facing applications. Notable examples include vulnerabilities in Microsoft Exchange servers (CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207) and Zoho ManageEngine ADSelfService Plus (CVE-2021-40539).

Compromised Credentials: Purchase and use of compromised Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) credentials obtained from initial access brokers or dark web markets.

Phishing: Deployment of spear-phishing campaigns targeting employees with malicious attachments or links. Learn more about types of phishing attacks.

Abuse of Remote Access Tools: Leveraging legitimate remote administration tools like AnyDesk, Splashtop Streamer, Tactical RMM, PuTTy, Atera Agent, and PDQ Deploy as backdoors for initial and persistent access. AnyDesk has been observed being configured to run even in Safe Mode.

Command and Scripting: Extensive use of PowerShell and Windows Command Shell (Batch scripts like Love.bat, lock.bat, update.bat). Custom scripts (e.g., AVO.ps1) are used for privilege escalation, lateral movement, disabling security tools, and automating tasks.

Legitimate Tool Abuse: Utilizing built-in Windows tools like PsExec and nltest for remote command execution and network reconnaissance. Windows Management Instrumentation (WMI) is also employed for execution.

C2 Frameworks: Deployment of common command-and-control frameworks like Cobalt Strike and Sliver to maintain control over compromised systems.

Webshells: Uploading custom webshells onto compromised web servers to ensure persistent network access.

Credential Dumping: Using tools like Mimikatz and LaZagne to harvest credentials from memory and password stores.

Disabling Security Software: Custom scripts are often used to terminate processes associated with antivirus and endpoint detection and response (EDR) solutions.

Safe Mode Execution: A notable technique involves rebooting endpoints into Safe Mode with Networking before initiating encryption. This often bypasss or disables security products. Specific drivers might be disabled to ensure tools like AnyDesk function correctly in this mode.

Deleting Shadow Copies: Using vssadmin.exe delete shadows /all /quiet and wmic.exe shadowcopy delete commands to remove volume shadow copies, hindering file recovery.

Clearing Logs: Employing PowerShell commands to clear Windows Event Logs to cover tracks.

Disabling Recovery Mode: Using bcdedit /set {default} bootstatuspolicy ignoreallfailures and bcdedit /set {default} recoveryenabled no to disable Windows automatic recovery features.

Utilizing tools like PsExec and compromised credentials to move across the network.

Scanning the network for accessible shares and systems using native tools or scanners like RDP Scanner.

Protocol Tunneling: Employing tools like Ligolo and Chisel to create encrypted tunnels for C2 communication, often over standard ports like 443, to bypass network egress filtering.

Custom Proxies: Use of tools like NetMonitor.exe, a reverse proxy disguised as a legitimate tool, for encrypted C2 traffic.

Data Theft: Prioritizing the exfiltration of sensitive data before deploying the ransomware payload (double extortion).

Exfiltration Tools: Using legitimate tools like FileZilla and Rclone, or custom scripts, to transfer stolen data to attacker-controlled infrastructure.

Encryption Algorithm: Typically uses a hybrid approach, encrypting files with AES-256 and protecting the AES key with RSA encryption. Learn about symmetric and asymmetric encryption.

Targeted Files: Encrypts files based on extensions, excluding critical system files to keep the OS operational for ransom payment.

File Extensions: Appends extensions like .avos, .avos2, or .avoslinux to encrypted files.

Ransom Note: Drops a ransom note (e.g., GET_YOUR_FILES_BACK.txt) in directories containing encrypted files, directing victims to a Tor-based site for payment instructions and negotiation. Victims may sometimes receive phone calls from the attackers.

Multi-threading: Employs multiple threads during encryption for faster impact.

Target Industries: AvosLocker has demonstrated a broad targeting scope, but shows a notable focus on:

Geographic Focus: While attacks are global, there has been a significant concentration of victims in the United States. Other heavily impacted regions include Canada, the United Kingdom, Spain, and various European and Asian countries.

Organizational Size: Victims range from Small and Medium-sized Businesses (SMBs) to large enterprises, indicating flexibility in affiliate targeting based on opportunity.

Potential Impact: Beyond the immediate financial cost of ransom payments (if made), victims face severe consequences including:

Consistent Targeting of Critical Infrastructure: As emphasized in the FBI/CISA advisories from March 2022 and the update in May 2023, AvosLocker affiliates persistently target critical sectors in the US and allied nations. This indicates a strategic focus, likely based on the perceived higher likelihood of payment due to the critical nature of operations.

Exploitation of Specific Vulnerabilities: Campaigns have been observed capitalizing on widespread vulnerabilities shortly after their disclosure, such as the ProxyShell/ProxyLogon flaws in Microsoft Exchange and the Zoho ManageEngine vulnerability. This opportunistic approach allows them to compromise numerous organizations quickly.

Use of Legitimate Tools for Evasion: A hallmark of AvosLocker campaigns is the heavy reliance on legitimate administrative tools (AnyDesk, PDQ Deploy, PuTTy) and built-in OS utilities (PsExec, PowerShell, WMI). This "living-off-the-land" approach makes their activity harder to distinguish from legitimate administrative actions, complicating detection.

Multi-Platform Attacks: The availability of both Windows and Linux/ESXi variants allows affiliates to conduct campaigns targeting diverse enterprise environments, maximizing their potential victim base within a single compromised network or across different organizations.

Patch Management: Prioritize patching of known exploited vulnerabilities, especially on internet-facing systems like VPN gateways, RDP servers, Exchange servers, and other web applications. Subscribe to CISA's Known Exploited Vulnerabilities (KEV) catalog updates.

Secure Remote Access:

Email Security: Implement robust email filtering to block phishing attempts and malicious attachments. Provide regular security awareness training to employees on identifying phishing tactics. Use email banners to mark external messages.

Credential Security: Enforce NIST-compliant password policies (long passphrases, no reuse). Regularly audit for weak or compromised credentials.

Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting malicious PowerShell execution, credential dumping (Mimikatz), process injection, and suspicious use of administrative tools like PsExec.

Network Monitoring: Monitor network traffic for unusual patterns, C2 communications (especially tunneling activity via tools like Ligolo/Chisel), and large data exfiltration attempts.

PowerShell Hardening and Logging:

IOC Sweeping: Regularly ingest and scan for IOCs provided by CISA, FBI, and threat intelligence providers. Utilize the provided YARA rule for detecting specific AvosLocker tools like NetMonitor.exe.rule FBI_AvosLocker_NetMonitor_1 : Actor_AvosLocker{ meta: author = "FBI" description = "Detects NetMonitor malware used by AvosLocker actors" reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a" date = "2023-05-16" strings: $s1 = { 61 00 76 00 6f 00 73 00 6c 00 6f 00 63 00 6b 00 65 00 72 00 } /* a.v.o.s.l.o.c.k.e.r. */ $s2 = { 53 79 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 } /* System.Net.Sockets */ $s3 = { 54 63 70 43 6c 69 65 6e 74 } /* TcpClient */ $s4 = { 4e 65 74 77 6f 72 6b 53 74 72 65 61 6d } /* NetworkStream */ $s5 = { 43 72 79 70 74 6f 67 72 61 70 68 79 } /* Cryptography */ $s6 = { 41 45 53 43 72 79 70 74 6f 50 72 6f 76 69 64 65 72 } /* AESCryptoProvider */ $s7 = { 43 72 79 70 74 6f 53 74 72 65 61 6d } /* CryptoStream */ condition: all of them}


System Hardening:

Backup Strategy: Implement the 3-2-1 backup rule (three copies, two different media types, one offsite). Ensure backups are immutable, encrypted, stored offline or in a segmented network zone, and tested regularly.

Incident Response Plan: Develop and regularly test an incident response plan that specifically addresses ransomware scenarios.

Network Segmentation: Segment networks to limit the blast radius if an infection occurs. Prevent lateral movement between critical segments.

BlackCat (ALPHV)

CLOP Ransomware

LockBit 3.0 Ransomware

Black Basta Ransomware

Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime