Our telemetry shows data on AvosLocker activity or attack attempts. While we observed AvosLocker activity from all over the world, India and Canada showed top detections from July 1, 2021 to February 28, 2022.
Figure 1. Countries with the highest number of attack attempts per machine for AvosLocker ransomware (July 1, 2021 to February 28, 2022)
Source: Trend Micro™ Smart Protection Network™
Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only by a slim margin given the small sample size.
Figure 2. Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only a slim margin given the small sample size.
Source: Trend Micro Smart Protection Network
As of this writing, the highest number of AvosLocker-related detections we have seen was in the month of February, which continues the sudden increase observed at the start of the year.
Figure 3. AvosLocker monthly detections per machine (July 1, 2021 to February 28, 2022)
Source: Trend Micro Smart Protection Network
We also ventured into AvosLocker’s leak site, which offered a different perspective on its targets. From December 1, 2021 to February 28, 2022 we found 15 listed entities. The organizations listed in the site were successfully attacked and have not, in that period, paid the demanded ransom.
By grouping the list according to regions, we found that AvosLocker focused its efforts on targets from North America.
Figure 4. Regional distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
More than half of the 15 entities we found in the leak site were small enterprises. With respect to the targets’ specific industries, we saw no trend emerging, as no one industry stood out from the others. This can be seen in Figure 6, where no single industry stood out from the rest.
Figure 5. Sector distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
We do note, however, that AvosLocker has showed relatively less activity compared to other more prominent ransomware families in terms of our detections and observations from its leak site. Because of the limited sample size, further monitoring might be necessary to identify trends.
Figure 7. Sample ransom note used by AvosLocker
|Initial Access||Execution||Persistence||Defense Evasion||Credential Access||Discovery||Lateral Movement||Command and Control||Impact|
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1059 - Command and scripting interpreter
T1072 - Software deployment tools
T1136 - Create account
T1547 - Boot or logon autostart execution
T1112 - Modify registry
T1562 - Impair defenses
T1140 - Deobfuscate/Decode files or information
T1070 - Indicator removal on host
T1003 - OS credential dumping
T1552 - Unsecured credentials
T1555 - Credentials from password stores
T1083 - File and directory discovery
T1135 - Network share discovery
T1057 - Process discovery
T1018 - Remote system discovery
T1021 - Remote services
T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers
T1219 - Remote access software
T1486 - Data encrypted for impact
T1489 - Service stop
T1490 - Inhibit system recovery
T1491 - Defacement
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in AvosLocker attacks:
|Initial Access||Execution||Credential Access||Discovery||Lateral Movement||Defense Evasion||Command and Control|
While AvosLocker is not yet as prominent as other ransomware families like LockBit, Conti, and Clop, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for infamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this ransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.