.svg)
.svg)
On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware [1]. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.
In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by AvosLocker ransomware and how organizations can defend themselves against AvosLocker ransomware attacks.
Simulate Ransomware Attacks with 14-Day Free Trial of Picus Platform
AvosLocker Ransomware
AvosLocker ransomware group emerged in June 2021. AvosLocker employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware infrastructure to other threat actors for a percentage of the ransom payments. Like many other contemporary ransomware groups, AvosLocker also employs a double-extortion tactic. The group steals the victim's sensitive data and threatens to publish it on their "leak site" if the ransom isn't paid. This tactic puts additional pressure on victims, especially those who hold sensitive or confidential data. AvosLocker is known for attacking high-profile targets and demanding significant ransoms. In the recent past, they targeted critical infrastructure in different sectors in the US, Canada, the UK, and Spain.
AvosLocker often uses common initial access techniques such as spear-phishing emails, exploiting vulnerable public-facing applications, or using compromised Remote Desktop Protocol (RDP) credentials. After initial access, adversaries upload custom webshells to establish persistence in the victim's network. Using known credential dumping tools, AvosLocker threat actors steal credentials from the compromised host and use them for lateral movement and privilege escalation. Prior to encryption, attackers exfiltrate the victim's sensitive files to an adversary-controlled command and control (C2) server. In the final step, AvosLocker reboots the infected machine in Safe Mode with Networking and encrypts the victim's sensitive files.
CISA previously released another cybersecurity on AvosLocker ransomware in March 2022. Since then, the threat actors created new AvosLocker variants and added new capabilities to their arsenal. CISA recommends organizations continuously validate their security controls against the AvosLocker ransomware variants and their evolving threat behaviors.
AvosLocker Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts
AvosLocker ransomware operators acquire compromised credentials from Initial Access Brokers (IABs) and criminal forums/marketplaces. Using these valid accounts, adversaries gain initial access to the targets' networks via RDP or VPN.
T1566 Phishing
AvosLocker threat actors use spam email campaigns to deliver the ransomware payload to their targets.
T1133 External Remote Services
AvosLocker group uses remote system administration tools such as AnyDesk, PuTTy, Atera Agent, Splashtop Streamer, Tactical RMM, and PDQ Deploy to gain initial access to their targets. Zoho ManageEngine CVE-2021-40539 vulnerability is known to be exploited by AvosLocker threat actors as an initial access vector.
Execution
T1059 Command and Scripting Interpreter
Adversaries use custom batch files and PowerShell scripts for privilege escalation, lateral movement, and defense evasion. The names of the used scripts are Love.bat, lock.bat, update.bat, and AVO.ps1.
Example 1: update.bat used by AvosLocker [2]
T1047 Windows Management Instrumentation
AvosLocker uses legitimate Windows tools such as PsExec and nltest to interact with Windows Management Instrumentation and execute commands.
Persistence
T1505.003 Server Software Component: Web Shell
After gaining initial access, AvosLocker operators upload custom webshells to establish persistence in the compromised network.
Defense Evasion
T1562.009 Impair Defenses: Safe Mode Boot
Before deploying the ransomware payload, AvosLocker forces the infected Windows hosts into rebooting in Safe Mode. In Safe Mode, Windows does not enable many endpoint protections, and ransomware is less likely to be detected or prevented.
Credential Access
T1555 Credentials from Password Stores
AvosLocker threat actors use known public credential dumping tools such as Mimikatz and LaZange to extract credentials from password storage mechanisms.
Command and Control
T1572 Protocol Tunneling
AvosLocker uses open-source tools such as Ligolo and Chisel for secure communication between a compromised network and an adversary-controlled C2 server. By encrypting the channel and bypassing egress filtering, AvosLocker threat actors transfer malicious tools and steal sensitive data without being detected.
Impact
T1486 Data Encrypted for Impact
AvosLocker ransomware uses a hybrid encryption methodology and combines AES-256-CBC and RSA to encrypt its victim's files. Depending on the version, encrypted files are appended with the .avos or .avos2 extension.
T1490 Inhibit System Recovery
AvosLocker operators delete all volume shadow copies of the infected host to prevent victims from recovering their files.
|
cmd /c wmic shadowcopy delete /nointeractive cmd /c vssadmin.exe Delete Shadows /All /Quiet |
How Picus Helps Simulate AvosLocker Ransomware Attacks?
We also strongly suggest simulating AvosLocker ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Snatch, Rhysida, and Akira, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for AvosLocker ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
71796 |
AvosLocker Ransomware Download Threat |
Network Infiltration |
|
34520 |
AvosLocker Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address AvosLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for AvosLocker ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0F3BD34DC |
Trojan.Win32.Trojan-Ransom.TC.fef5cPtX |
|
Check Point NGFW |
0E11AB772 |
Trojan.Win32.Trojan-Ransom.Win32.Hive.TC.5565tXuh |
|
Check Point NGFW |
0844DC21D |
Trojan.Win32.Generic.TC.8d88HHzm |
|
Cisco FirePower |
Win.Dropper.Delshad::100.sbx.tg |
|
|
Cisco FirePower |
W32.Auto:1e21c8e27a.in03.Talos |
|
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
10053759 |
W64/Hive.B0FF!tr.ransom |
|
Fortigate AV |
10044273 |
W32/Filecoder.OHU!tr.ransom |
|
Fortigate AV |
10053760 |
W32/Hive.B0FF!tr.ransom |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
425722383 |
trojan/Win32 EXE.filecoder.aks |
|
Palo Alto |
425724309 |
trojan/Win32 EXE.hive.i |
|
Palo Alto |
463716005 |
trojan/ELF.filecoder.amt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "#StopRansomware: AvosLocker Ransomware (Update)," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a. [Accessed: Oct. 11, 2023]
[2] A. Brandt, "Avos Locker remotely accesses boxes, even running in Safe Mode," Sophos News, Dec. 22, 2021. Available: https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/. [Accessed: Oct. 11, 2023]
