Ransomware Spotlight: AvosLocker
Top affected industries and countries
Our telemetry shows data on AvosLocker activity or attack attempts. While we observed AvosLocker activity from all over the world, India and Canada showed top detections from July 1, 2021 to February 28, 2022.
Figure 1. Countries with the highest number of attack attempts per machine for AvosLocker ransomware (July 1, 2021 to February 28, 2022)
Source: Trend Micro™ Smart Protection Network™
Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only by a slim margin given the small sample size.
Figure 2. Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only a slim margin given the small sample size.
Source: Trend Micro Smart Protection Network
As of this writing, the highest number of AvosLocker-related detections we have seen was in the month of February, which continues the sudden increase observed at the start of the year.
Figure 3. AvosLocker monthly detections per machine (July 1, 2021 to February 28, 2022)
Source: Trend Micro Smart Protection Network
Targeted regions and sectors according to AvosLocker leak site
We also ventured into AvosLocker’s leak site, which offered a different perspective on its targets. From December 1, 2021 to February 28, 2022 we found 15 listed entities. The organizations listed in the site were successfully attacked and have not, in that period, paid the demanded ransom.
By grouping the list according to regions, we found that AvosLocker focused its efforts on targets from North America.
Figure 4. Regional distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
More than half of the 15 entities we found in the leak site were small enterprises. With respect to the targets’ specific industries, we saw no trend emerging, as no one industry stood out from the others. This can be seen in Figure 6, where no single industry stood out from the rest.
Figure 5. Sector distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
We do note, however, that AvosLocker has showed relatively less activity compared to other more prominent ransomware families in terms of our detections and observations from its leak site. Because of the limited sample size, further monitoring might be necessary to identify trends.
Infection chain and techniques
Initial Access
- AvosLocker uses Zoho ManageEngine ServiceDesk Plus and its exploit for initial access and to download of web shell and AnyDesk.
- It has been reported to make use of compromised accounts to access its victims via RDP or virtual private network (VPN).
Defense Evasion, Discovery, and Credential Access
- It uses Avast Anti-Rootkit Driver and a PowerShell script to disable certain antivirus processes.
- It uses a BAT script to disable antivirus services that can run on Windows Safe Mode.
- It uses Mimikatz and XenArmor Password Recovery Pro Tool to get credentials.
- It also uses Nmap, NetScan, and native Windows commands (such as ipconfig, nslookup, and others) to perform discovery on the target network.
- It avoids writing the ransomware payload in target systems.
Lateral Movement and Command and Control
- AvosLocker installs AnyDesk to gain control of the targeted systems.
- It uses PDQ Deploy to push out and execute the Windows batch script on the targeted systems.
Impact
- It then executes the ransomware payload (AvosLocker) to perform its encryption routine once all other routines are done.
- It now has both Windows and Linux version of this ransomware payload. The Linux version is also known to terminate ESXi virtual machines.
- In its latest attacks, the Windows version was executed after restarting in safe mode to inhibit security software from detecting the ransomware variant.
- In order to execute on safe mode, it adds a RunOnce registry entry under autostart. Further investigation revealed multiple ways AvosLocker can be executed via the RunOnce registry, which are the following:
- Direct execution of the ransomware payload
- Execute a PowerShell script that will download and execute the ransomware payload
- Execute a PowerShell script that will decode and execute the ransomware payload from a disguised .jpg file.
- It drops a ransom note similar to the one in Figure 7.
Figure 7. Sample ransom note used by AvosLocker
Other technical details
- It avoids the following directories:
- All Users
- AppData
- boot
- bootmgr
- Games
- Intel
- Microsoft. (Directory name starts with “Microsoft.)
- Program Files
- ProgramData
- Public
- Sophos
- System Volume Information
- Windows
- Windows.old
- WinNT
- It avoids encrypting the following files with strings in their file name:
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- config.msi
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
- Thumbs.db
- It avoids encrypting files with the following extensions:
- .386
- .adv
- .ani
- .avos
- .avos2
- .avos2j
- .avoslinux
- .bat
- .bin
- .cab
- .cmd
- .com
- .cpl
- .cur
- .deskthemepack
- .diagcab
- .diagcfg
- .diagpkg
- .dll
- .drv
- .exe
- .hlp
- .hta
- .icl
- .icns
- .ico
- .ics
- .idx
- .key
- .ldf
- .lnk
- .lock
- .mod
- .mpa
- .msc
- .msi
- .msp
- .msstyles
- .msu
- .nls
- .nomedia
- .ocx
- .pdb
- .prf
- .ps1
- .rom
- .rtp
- .scr
- .shs
- .spl
- .sys
- .theme
- .themepack
- .wpx
- It terminates the following processes:
- encsvc
- thebat
- mydesktopq os
- xfssvccon
- firefox
- infopath
- winword
- steam
- synctime
- notepad
- ocomm
- onenote
- mspub
- thunderbird
- agntsvc
- sql
- excel
- powerpnt
- outlook
- wordpad
- dbeng50
- isqlplussvc
MITRE tactics and techniques
Initial Access | Execution | Persistence | Defense Evasion | Credential Access | Discovery | Lateral Movement | Command and Control | Impact |
---|---|---|---|---|---|---|---|---|
T1190 - Exploit public-facing application T1078 - Valid accounts | T1059 - Command and scripting interpreter T1072 - Software deployment tools | T1136 - Create account T1547 - Boot or logon autostart execution | T1112 - Modify registry T1562 - Impair defenses T1140 - Deobfuscate/Decode files or information T1070 - Indicator removal on host | T1003 - OS credential dumping T1552 - Unsecured credentials T1555 - Credentials from password stores | T1083 - File and directory discovery T1135 - Network share discovery T1057 - Process discovery T1018 - Remote system discovery | T1021 - Remote services T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers | T1219 - Remote access software | T1486 - Data encrypted for impact T1489 - Service stop T1490 - Inhibit system recovery T1491 - Defacement |
Summary of malware, tools, and exploits used
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in AvosLocker attacks:
Initial Access | Execution | Credential Access | Discovery | Lateral Movement | Defense Evasion | Command and Control |
---|---|---|---|---|---|---|
|
|
|
|
|
|
|
Recommendations
While AvosLocker is not yet as prominent as other ransomware families like LockBit, Conti, and Clop, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for infamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this ransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and software.
- Make an audit of event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, back up, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Detect early signs of an attack such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.