Figure 7. Sample ransom note used by AvosLocker
|Initial Access||Execution||Persistence||Defense Evasion||Credential Access||Discovery||Lateral Movement||Command and Control||Impact|
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1059 - Command and scripting interpreter
T1072 - Software deployment tools
T1136 - Create account
T1547 - Boot or logon autostart execution
T1112 - Modify registry
T1562 - Impair defenses
T1140 - Deobfuscate/Decode files or information
T1070 - Indicator removal on host
T1003 - OS credential dumping
T1552 - Unsecured credentials
T1555 - Credentials from password stores
T1083 - File and directory discovery
T1135 - Network share discovery
T1057 - Process discovery
T1018 - Remote system discovery
T1021 - Remote services
T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers
T1219 - Remote access software
T1486 - Data encrypted for impact
T1489 - Service stop
T1490 - Inhibit system recovery
T1491 - Defacement
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in AvosLocker attacks:
|Initial Access||Execution||Credential Access||Discovery||Lateral Movement||Defense Evasion||Command and Control|
While AvosLocker is not yet as prominent as other ransomware families like LockBit, Conti, and Clop, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for infamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this ransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.