Though REvil, LockBit and Conti ruled the limelight in most of 2021 and 2022, one ransomware group that slipped the prying eyes of cybersecurity experts was AvosLocker ransomware. AvosLocker took advantage of the circumstances and developed into a deadly adversary by targeting critical infrastructure in different sectors of the US, Canada, UK and Spain in 2021. Their clever use of conventional tactics makes it a ransomware variant still worth monitoring today. Read on to find out more about the ransomware as a service (RaaS) group.
AvosLocker ransomware affects a large number of users worldwide and usually targets computers of home, corporate and large organizational users running Microsoft Windows operating systems, including Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, and Windows Server 2008. It has been reported to have infected over 100,000 computers since mid-2021, making it one of the most dangerous ransomware strains currently in circulation.
Amongst the various techniques AvosLocker has been reported to use to spread itself, the use of email attachments, malicious links, malicious files, and exploiting known vulnerabilities in software, and even linking malicious advertisements on websites, expands their outreach tremendously.
AvosLocker Vulnerabilities
Securin experts identified a set of 12 vulnerabilities associated with AvosLocker. Let us take a closer look at the vulnerabilities.
- CVE-2018-19320 – The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 – 3 Ransomware / 0 APT – CISA KEV, Trending
CVSS v2 – 7.20 | CVSS v3- 7.80 | Securin VRS – 8.66
2. CVE-2021-44228 – Log4Shell vulnerability – 7 Ransomware / 10 APT – CISA KEV, Trending
CVSS v2 – 9.30 | CVSS v3 – 10.00 | Securin VRS – 9.98
3. CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 – 1 APT / 1 Ransomware – Trending
CVSS v2 – 4.30 | CVSS v3 – 5.90 | Securin VRS – 7.84
4. CVE-2021-45046 – It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. – 1 Ransomware / 3 APT – Trending
CVSS v2 -5.10 | CVSS v3 – 9.00 | Securin VRS – 8.1
5. CVE-2021-44832 – Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). 1 Ransomware / 2 APT – Trending
CVSS v2 – 8.50 | CVSS v3 – 6.60 | Securin VRS – 7.44
6. CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability – 7 Ransomware / 15 APT – CISA KEV, Trending
CVSS v2 – 7.50 | CVSS v3 – 9.80 | Securin VRS – 9.96
7. CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability – 13 Ransomware / 7 APT – CISA KEV, Trending
CVSS v2 – 6.50 | CVSS v3 – 7.20 | Securin VRS – 9.06
8. CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability – 12 Ransomware / 8 APT – CISA KEV, Trending
CVSS v2 – 10 | CVSS v3 – 9.8 | Securin VRS – 9.96
9. CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability – 12 Ransomware / 8 APT – CISA KEV, Trending
CVSS v2 – 7.50 | CVSS v3 – 9.80 | Securin VRS – 9.96
10. CVE-2021-40539 – Zoho ManageEngine ADSelfService Plus – 1 Ransomware / 2 APT – CISA KEV, Trendig
CVSS v2 – 7.5 | CVSS v3 – 9.8 | Securin VRS – 9.96
11. CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability – 1 Ransomware / 0 APT – Trending
CVSS v2 – 7.90 | CVSS v3 – 8.00 | Securin VRS – 8.36
12. CVE-2021-26134 – Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. – 2 Ransomware / 5 APT – CISA KEV, Trending
CVSS v2 – 7.50 | CVSS v3 – 9.80 | Securin VRS – 9.96
Interesting Trends
-
Using AnyDesk: A notable characteristic of AvosLocker campaigns is the use of AnyDesk, a remote desktop administration tool, to connect to victim machines. Operators can manually operate and infect machines using this tool.
-
Runs on Safe Mode: A key element of AvosLocker is being able to run itself on safe mode as part of its evasion tactics. This technique was previously employed by the now defunct REvil ransomware group. The attacker is able to restart the victim’s machines, disable specific drivers and run on safe mode, since most security measures cannot run on this mode. Often, the operators set up drivers to ensure AnyDesk can be run on safe mode as well.
-
Auctioning Stolen Data: AvosLocker operators use another tactic borrowed from the REvil playbook in order to monetize a single successful attack or salvage a failed one–auctioning stolen data on its website on top of its double extortion scheme. Launching multiple versions of the same ransomware: AvosLocker operators released several versions of their ransomware, with the latest one being a Linux variant, launched in October 2021, that is capable of attacking ESXi virtual machines (VMs).
Attack Methodology
- The victim opens a malicious email that contains an infected file.
- When the user opens the attachment, a malicious script is run on the computer. This script downloads and executes the ransomware onto the computer. Once the ransomware is installed, it will begin to encrypt the user’s files and folders.
- AvosLocker ransomware uses polymorphic techniques to change its code to evade detection by antivirus software that may be installed on the victim’s computer. It also uses anti-debugging techniques to make it harder for researchers to analyze its code. Often, the ransomware group uses legitimate anti-debugging services to hide its malicious activities.
- Once the files are encrypted, a ransom note is displayed on the user’s computer, which demands a ransom payment in order to decrypt the files. The ransom note typically provides instructions on how to pay the ransom and may include links to a payment website. The ransom note may also contain threats to delete the user’s files if the ransom is not paid.
- In addition to encrypting files, the AvosLocker ransomware also attempts to delete system restore points, shadow copies, and any backups that the user may have. This prevents the user from recovering their files without paying the ransom.
AvosLocker MITRE Map and IoCs
MITRE MAP:
| Initial Access |
T1190 Exploit public-facing application T1078 Valid accounts |
| Execution |
T1059 Command and scripting interpreter T1072 Software deployment tools |
| Persistence |
T1136 Create account T1547 Boot or logon autostart execution |
| Defense Evasion |
T1112 Modify registry T1562 Impair defenses T1140 Deobfuscate/Decode files or information T1070 Indicator removal on host |
| Credential Access |
T1003 OS credential dumping T1552 Unsecured credentials T1555 Credentials from password stores |
| Discovery |
T1083 File and directory discovery T1135 Network share discovery T1057 Process discovery T1018 Remote system discovery |
| Lateral Movement |
T1021 Remote services T1072 Software deployment tools |
| Command and Control | T1219 Remote access software |
| Impact |
T1436 Data encrypted for impact T1489 Service stop T1490 Inhibit system recovery T1491 Defacement |
Indicators of Compromise
| Key | Value |
| Platform | Windows Linux EXSi |
| Language | C++ |
| Encrypting Algo’s | RSA AES-256(Toencryptfiles) ChaCha20Algof encry ptencrypteddata |
| Mutex Name | ievah8eVki3Ho4oo |
| API’s |
Webshell MoveFileW RMStartSession RmRegisterResources RmGetList(toaccessthefilesf encryption) WNetOpenEnumA WNetEnumResourceA WNetAddConnection2A(toenumerate encryptthenetw kresources) |
| DLL’s | api-ms-win-c e-datetime-l1-1-1 api-ms-win-c e-file-l1-2-2 api-ms-win-c e-localization-l1-2-1 api-ms-win-c e-localization-obsolete-l1-2-0 api-ms-win-c e-processthreads-l1-1-2 api-ms-win-c e-string-l1-1-0 api-ms-win-c e-sysinfo-l1-2-1 api-ms-win-c e-winrt-l1-1-0 api-ms-win-c e-xstate-l2-1-0 api-ms-win-security-systemfunctions-l1-1-0 ext-ms-win-ntuser-dialogbox-l1-1-0 ext-ms-win-ntuser-windowstation-l1-1-0 api-ms-win-appmodel-runtime-l1-1-2 |
| AvosLocker Using Tools to Access Device/Host | CobaltStrike EncodedPowerShellscripts(publiclyavailabletool) PuTTYSecureCopyclienttool“pscp.exe” Rclone Anydesk Scanner AdvancedIPscanner WinLister Chisel PDQDeploy(PDQDeploytopushoutWindowsbatchscriptstomachinestheyplannedtotarget.) |
| Affected File Extensions | ndoc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, ai, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, pl, vb, vbs, ps1, bat, cmd, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, dat |
| AvosLocker Encrypted Files Extension | .avos .avos2 AvosLinux |
| Batch Scripts of AvosLocker |
execute.bat Love.bat Update.bat lock.bat |
| Virus Names to be Used by Avoslocker | Ransom:MSIL/ApisCrypt .PAA!MTB Trojan-Banker.Win32.NeutrinoPOS.bnq MSIL/Filecoder.NR |
| Sites | http://avosxxxxxxxx.onion http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion |
| Note File after Encryption | GET_YOUR_FILES_BACK.txt(windows) README_F _REST E.txt(Linux) |
| Hash 256 | cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460 0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6 10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4 e9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a e737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721 cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460 7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1 a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749 43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856 7731a9e1e5fff9d912b1d238dcd92c2ba671a5ea55441bb7f14b05ed40039ce1 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81 a58864dd006f0528f890c9e000e660f65ffe041ebd2bcb45903fb0228321cfb2 05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5 C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02 6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731 da6e60b4e39c6c556836a18a09a52cd83c47f9cf6dc9e3ad298cbcb925a62a96 373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386 fc55f8b61cb79f2b85b8bf35ff1b80f49fc61a860aca7729f35449df4928cd9b 0c50992b87ba354a256dfe4356ffa98c8bc5dd231dab0a4dc64413741edb739b 5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70 33203ecb5c34c45dacf64c42c3a24cd4aeb2ceb26b0c58ba97fc8f33319da91b 3b58516758466c8129c4899f07e1e50ca98d913f7c13665aa446c75325b7c5d8 |
| Hash SHA 1 | 05c63ce49129f768d31c4bdb62ef5fb53eb41b54 6f110f251860a7f6757853181417e19c28841eb4 9c8f5c136590a08a3103ba3e988073cfd5779519 e8c26db068914df2083512ff8b24a2cc803ea498 dab33aaf01322e88f79ffddcbc95d1ad9ad97374 e60ef891027ac1dade9562f8b1de866186338da1 67f0c8d81aefcfc5943b31d695972194ac15e9f2 2f3273e5b6739b844fe33f7310476afb971956dd f6f94e2f49cd64a9590963ef3852e135e2b8deba |
| Hash MD5 | e09183041930f37a38d0a776a63aa673 d3cafcd46dea26c39dec17ca132e5138 f659d1d15d2e0f3bd87379f8e88c6b42 afed45cd85a191fe3b2543e3ae6aa811 31f8eedc2d82f69ccc726e012416ce33 a39b4bea47c4d123f8195a3ffb638a1b 504bd1695de326bc533fde29b8a69319 eb45ff7ea2ccdcceb2e7e14f9cc01397 d285f1366d0d4fdae0b558db690497ea cf0c2513b6e074267484d204a1653222 |
| AvosLocker Service Name | Ransom.Win32.AVOSLOCKER.SMYXBLNT Ransom.Win32.AVOSLOCKER.YPBLU |
Products Affected by AvosLocker Ransomware Vulnerabilities
There are two vulnerabilities with a significant number of products affected. Both vulnerabilities are exploited by AvosLocker. Here are the products these vulnerabilities affect:
CVE-2021-44228: A high-risk vulnerability rated critical in CVSS v3 (10) exists in Apache Log4j. This vulnerability exists in 176 products from 21 vendors. Notable among them are vendors such as Oracle, Red Hat, Apache, Novell, Amazon, Cisco, SonicWall, and others. This remote code execution vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night Sky, Cheerscrypt, and TellYouThePass. This vulnerability, too, is a point of interest for hackers and was found trending as of December 10, 2022, which is probably why CISA has included it as part of the CISA KEV catalog.
CVE-2021-45046: This high-risk vulnerability is rated critical in CVSS v3 (9), and it exists in 16 vendors and 93 products. Notable among the vendors that are vulnerable to this CVE are Intel, Apache, NetApp, Red Hat, and many others. This vulnerability was newly associated with the AvosLocker ransomware in 2022 and had been trending since December 12, 2022. CISA has not prioritized this vulnerability as a KEV yet, but Securin experts highly recommended that CISA adds it to the catalog.
Prevent Ransomware Attacks by Securing Your Attack Surface
With so many individuals and organizations at risk of data theft, improving cyber hygiene for the future is the only viable solution. Since the data is often unrecoverable, it is important to stay ahead of the attacker.
As highlighted in Securin’s Ransomware Spotlight Report 2023, of the 344 total vulnerabilities associated with ransomware, 56 vulnerabilities were added in 2022 alone. Twenty-one of the vulnerabilities were exploited by ransomware such as BlackByte, Hive, AvosLocker, and LockBit, among several others. This progressive trend of the increasing number of vulnerabilities associated with ransomware emphasizes the need for periodic vulnerability management and patching to maintain good cyber hygiene. We have analyzed the latest vulnerabilities, threats, and techniques used by the ransomware groups and compiled a detailed ransomware report.
Securin offers Ransomware Attack Surface Assessment to detect vulnerabilities open to ransomware attacks. You can also check out our other services and reach out to us if you want to build a strong defense of your network architecture.