AvosLocker is a relatively new ransomware variant that sports the staples of modern ransomware, namely a layered extortion scheme that begins with stolen data. We shed light on this emerging ransomware family and its key techniques.
View infographic of "Ransomware Spotlight: AvosLocker"
AvosLocker is one of the newer ransomware families that came to fill the void left by REvil. While not as prominent or active as LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. According to the report, AvosLocker has been targeting critical infrastructure in different sectors of the US, with attacks also observed in other countries like Canada, UK, and Spain. Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.
What do organizations need to know about AvosLocker?
AvosLocker is another variant that runs on a ransomware-as-a-service (RaaS) model. It was first spotted in July 2021 and has since come up with several variants released over time. The following are the key characteristics of AvosLocker:
It uses the remote administration tool AnyDesk. One of the notable characteristics of AvosLocker campaigns is its use of AnyDesk, a remote administration tool (RAT) to connect to victim machines. Using this tool, the operator can manually operate and infect the machine.
It runs on safe mode. Another key element of AvosLocker is running itself on safe mode as part of its evasion tactics. The attacker restarts the machine, disables certain drivers, and runs on safe mode, thus avoiding certain security measures that are unable to run in this mode. Operators also set up certain drivers to make sure that AnyDesk would run even in safe mode. It is important to note that this was a tactic previously employed by the now defunct REvil.
Operators auction stolen data. AvosLocker again takes a leaf from REvil’s page by auctioning stolen data on its site, on top of its double extortion scheme. This could be the group’s way of further monetizing a single successful attack or salvaging a failed one.
As mentioned, AvosLocker operators have also released multiple versions of this ransomware. The tactic of running itself on safe mode was seen in the second version of AvosLocker. Following the trend of targeting Linux machines, AvosLocker also released a Linux variant as advertised by the group on October 2021. This variant is capable of attacking ESXi virtual machines (VMs), which makes it a variant to watch out for.
Operating as an RaaS, the actors behind AvosLocker conduct reconnaissance before each campaign. Actors choose their targets based on their ability to pay the demanded ransom and tailor their attacks accordingly.
In the next sections, we look at which regions and industries the group has targeted most often, based on our detections and information from their leak site.
Top affected industries and countries
Our telemetry shows data on AvosLocker activity or attack attempts. While we observed AvosLocker activity from all over the world, India and Canada showed top detections from July 1, 2021 to February 28, 2022.
Figure 1. Countries with the highest number of attack attempts per machine for AvosLocker ransomware (July 1, 2021 to February 28, 2022) Source: Trend Micro™ Smart Protection Network™
Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only by a slim margin given the small sample size.
Figure 2. Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and finance sectors. However, there is only a slim margin given the small sample size. Source: Trend Micro Smart Protection Network
As of this writing, the highest number of AvosLocker-related detections we have seen was in the month of February, which continues the sudden increase observed at the start of the year.
Figure 3. AvosLocker monthly detections per machine (July 1, 2021 to February 28, 2022) Source: Trend Micro Smart Protection Network
Targeted regions and sectors according to AvosLocker leak site
We also ventured into AvosLocker’s leak site, which offered a different perspective on its targets. From December 1, 2021 to February 28, 2022 we found 15 listed entities. The organizations listed in the site were successfully attacked and have not, in that period, paid the demanded ransom.
By grouping the list according to regions, we found that AvosLocker focused its efforts on targets from North America.
Figure 4. Regional distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
More than half of the 15 entities we found in the leak site were small enterprises. With respect to the targets’ specific industries, we saw no trend emerging, as no one industry stood out from the others. This can be seen in Figure 6, where no single industry stood out from the rest.
Figure 5. Sector distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28, 2022)
We do note, however, that AvosLocker has showed relatively less activity compared to other more prominent ransomware families in terms of our detections and observations from its leak site. Because of the limited sample size, further monitoring might be necessary to identify trends.
Infection chain and techniques
The AvosLocker infection chain, which operates on the RaaS model, can vary depending on the target. The following infection chain shows a variety of tactics and tools employed by this RaaS.
Figure 6. AvosLocker infection chain
AvosLocker uses Zoho ManageEngine ServiceDesk Plus and its exploit for initial access and to download of web shell and AnyDesk.
It has been reported to make use of compromised accounts to access its victims via RDP or virtual private network (VPN).
Defense Evasion, Discovery, and Credential Access
It uses Avast Anti-Rootkit Driver and a PowerShell script to disable certain antivirus processes.
It uses a BAT script to disable antivirus services that can run on Windows Safe Mode.
It uses Mimikatz and XenArmor Password Recovery Pro Tool to get credentials.
It also uses Nmap, NetScan, and native Windows commands (such as ipconfig, nslookup, and others) to perform discovery on the target network.
It avoids writing the ransomware payload in target systems.
Lateral Movement and Command and Control
AvosLocker installs AnyDesk to gain control of the targeted systems.
It uses PDQ Deploy to push out and execute the Windows batch script on the targeted systems.
It then executes the ransomware payload (AvosLocker) to perform its encryption routine once all other routines are done.
It now has both Windows and Linux version of this ransomware payload. The Linux version is also known to terminate ESXi virtual machines.
In its latest attacks, the Windows version was executed after restarting in safe mode to inhibit security software from detecting the ransomware variant.
In order to execute on safe mode, it adds a RunOnce registry entry under autostart. Further investigation revealed multiple ways AvosLocker can be executed via the RunOnce registry, which are the following:
Direct execution of the ransomware payload
Execute a PowerShell script that will download and execute the ransomware payload
Execute a PowerShell script that will decode and execute the ransomware payload from a disguised .jpg file.
It drops a ransom note similar to the one in Figure 7.
Figure 7. Sample ransom note used by AvosLocker
Other technical details
It avoids the following directories:
Microsoft. (Directory name starts with “Microsoft.)
System Volume Information
It avoids encrypting the following files with strings in their file name:
It avoids encrypting files with the following extensions:
It terminates the following processes:
MITRE tactics and techniques
Command and Control
T1190 - Exploit public-facing application Arrives by exploiting Zoho ManageEngine ServiceDesk Plus Exploit to download web shell and AnyDesk
As it operates as a RaaS, depending on the affiliate, the following exploits might be used for initial access:•CVE-2021-31206• CVE-2021-31207• CVE-2021-34473• CVE-2021-34523• CVE-2021-26855
T1078 - Valid accounts Have been reported to make used of compromised accounts to access victims via RDP or VPN
T1059 - Command and scripting interpreter Uses various scripting interpreters like PowerShell and Windows Command shell
T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers
T1136 - Create account Creates a new user to ensure automatic login when machine is restarted in safe mode
T1547 - Boot or logon autostart execution Creates an autostart entry to ensure execution of ransomware when restarted in safe mode
T1112 - Modify registry Modifies registry entry to allow AnyDesk on safe mode and to enable automatic login when restarted in safe mode
T1562 - Impair defenses Abuses Avast Anti-Rootkit Driver and a PowerShell script to disable certain processes related to security tools and also restarts the machine in safe mode to inhibit security tools from executing
T1140 - Deobfuscate/Decode files or information Some ransomware samples are decoded using CertUtil and strings to be used by the ransomware are encrypted using XOR.
T1070 - Indicator removal on host It deletes created registry entries, scripts, and ransomware binary after encryption.
T1003 - OS credential dumping Might utilize Mimikatz to dump credentials
T1552 - Unsecured credentials Might utilize Mimikatz or XenArmor Password Recovery Pro tool to gather credentials
T1555 - Credentials from password stores Might utilize XenArmor Password Recovery Pro tool to gain credentials
T1083 - File and directory discovery Searches for specific files and directory related to its ransomware encryption
T1135 - Network share discovery Makes use of tools to enumerate network share
T1057 - Process discovery Discovers certain processes for process termination
T1018 - Remote system discovery Makes use of tools for network scans
T1021 - Remote services Might use AnyDesk to remotely connect and transfer files
T1072 - Software deployment tools Used PDQ Deploy to distribute the batch file and payload on target computers
T1219 - Remote access software Makes use of tools for network scans
T1486 - Data encrypted for impact Might use AnyDesk to remotely connect and transfer files It uses the salsa12 stream cipher to encrypt victim files. Older versions used advanced encryption standard (AES) AES-256-CBC and RSA to encrypt files and keys respectively.
T1489 - Service stop Contains a list of services to be terminated to ensure encryption
T1490 - Inhibit system recovery Deletes shadow copies
T1491 - Defacement Replaces the desktop wallpaper with the ransom note
Summary of malware, tools, and exploits used
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in AvosLocker attacks:
Command and Control
Exploit for Zoho ManageEngine ServiceDesk Plus
Windows command shell
XenArmor Password Recovery Tool Pro
Avast Anti-Rootkit Scanner
While AvosLocker is not yet as prominent as other ransomware families like LockBit, Conti, and Clop, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for infamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this ransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
Audit and inventory
Take an inventory of assets and data.
Identify authorized and unauthorized devices and software.
Make an audit of event and incident logs.
Configure and monitor
Manage hardware and software configurations.
Grant admin privileges and access only when necessary to an employee’s role.
Monitor network ports, protocols, and services.
Activate security configurations on network infrastructure devices such as firewalls and routers.
Establish a software allowlist that only executes legitimate applications.
Patch and update
Conduct regular vulnerability assessments.
Perform patching or virtual patching for operating systems and applications.
Update software and applications to their latest versions.
Protect and recover
Implement data protection, back up, and recovery measures.
Enable multifactor authentication (MFA).
Secure and defend
Employ sandbox analysis to block malicious emails.
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
Detect early signs of an attack such as the presence of suspicious tools in the system.
Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
Regularly train and assess employees on security skills.
Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.
Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.