- Nachrichten zum Thema Sicherheit
- Ransomware Spotlight
- Ransomware Spotlight: AvosLocker
Our telemetry shows data on AvosLocker activity or attack attempts. While we observed AvosLocker activity from all over the world, India and Canada showed top detections from July 1, 2021 to February 28, 2022.
Figure 1. Countries with the highest number of attack attempts per machine for AvosLocker ransomware (July 1, 2021 to February 28, 2022)
Source: Trend Micro™ Smart Protection Network™
Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only by a slim margin given the small sample size.
Figure 2. Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only a slim margin given the small sample size.
Source: Trend Micro Smart Protection Network
As of this writing, the highest number of AvosLocker-related detections we have seen was in the month of February, which continues the sudden increase observed at the start of the year.
Figure 3. AvosLocker monthly detections per machine (July 1, 2021 to February 28, 2022)
Source: Trend Micro Smart Protection Network
We also ventured into AvosLocker’s leak site, which offered a different perspective on its targets. From December 1, 2021 to February 28, 2022 we found 15 listed entities. The organizations listed in the site were successfully attacked and have not, in that period, paid the demanded ransom.
By grouping the list according to regions, we found that AvosLocker focused its efforts on targets from North America.
Figure 4. Regional distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
More than half of the 15 entities we found in the leak site were small enterprises. With respect to the targets’ specific industries, we saw no trend emerging, as no one industry stood out from the others. This can be seen in Figure 6, where no single industry stood out from the rest.
Figure 5. Sector distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
We do note, however, that AvosLocker has showed relatively less activity compared to other more prominent ransomware families in terms of our detections and observations from its leak site. Because of the limited sample size, further monitoring might be necessary to identify trends.
Figure 7. Sample ransom note used by AvosLocker
Initial Access | Execution | Persistence | Defense Evasion | Credential Access | Discovery | Lateral Movement | Command and Control | Impact |
---|---|---|---|---|---|---|---|---|
T1190 - Exploit public-facing application T1078 - Valid accounts | T1059 - Command and scripting interpreter T1072 - Software deployment tools | T1136 - Create account T1547 - Boot or logon autostart execution | T1112 - Modify registry T1562 - Impair defenses T1140 - Deobfuscate/Decode files or information T1070 - Indicator removal on host | T1003 - OS credential dumping T1552 - Unsecured credentials T1555 - Credentials from password stores | T1083 - File and directory discovery T1135 - Network share discovery T1057 - Process discovery T1018 - Remote system discovery | T1021 - Remote services T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers | T1219 - Remote access software | T1486 - Data encrypted for impact T1489 - Service stop T1490 - Inhibit system recovery T1491 - Defacement |
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in AvosLocker attacks:
Initial Access | Execution | Credential Access | Discovery | Lateral Movement | Defense Evasion | Command and Control |
---|---|---|---|---|---|---|
|
|
|
|
|
|
|
While AvosLocker is not yet as prominent as other ransomware families like LockBit, Conti, and Clop, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for infamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this ransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.