All About AvosLocker Ransomware

Originally Published: March 28, 2023

All About AvosLocker Ransomware

While not as prominent as REvil, LockBit or Conti, AvosLocker slowly made a name for itself by targeting critical infrastructure in different sectors of the US, Canada, UK and Spain in 2021. Since then, their clever use of conventional tactics and intermittent widespread attacks have made the ransomware variant still worth monitoring today.

AvosLocker ransomware affects a large number of users worldwide and usually targets computers of home, corporate and large organizational users running Microsoft Windows operating systems, including Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, and Windows Server 2008. It has been reported to have infected over 100,000 computers since mid-2021, making it one of the most dangerous ransomware strains currently in circulation.

Amongst the various techniques AvosLocker has been reported to use to spread itself, the use of email attachments, malicious links, malicious files, and exploiting known vulnerabilities in software, and even linking malicious advertisements on websites, expands their outreach tremendously.

The slow but steady activities of the group, and their capability to exploit across different OS environments prompted a warning from CISA under the #StopRansomware campaign in October 2023.

Interesting Trends

Let us look at some of the unique mannerisms of the group that make it a formidable threat.

  • Choice of software: The AvosLocker group uses legitimate remote access tools to connect to victim machines. As the actors weaponize widely used software like AnyDesk, a remote desktop administration tool, antivirus software may not detect these implementations as malicious, allowing the group to easily circumnavigate defense measures. Operators can even manually operate and infect machines using such tools.
  • Runs on Safe Mode: A key element of AvosLocker is being able to run itself on safe mode as part of its evasion tactics. This technique was previously employed by the now defunct REvil ransomware group. The attacker is able to restart the victim’s machines, disable specific drivers and run on safe mode, since most security measures cannot run on this mode. Often, the operators set up drivers to ensure AnyDesk can be run on safe mode as well.
  • Auctioning Stolen Data: AvosLocker operators use another tactic borrowed from the REvil playbook in order to monetize a single successful attack or salvage a failed one–auctioning stolen data on its website on top of its double extortion scheme.
  • Launching multiple versions of the same ransomware: The group released several versions of their ransomware, with the latest one being a Linux variant, launched in October 2021, that is capable of attacking ESXi virtual machines (VMs).

How does AvosLocker Attack

  1. The victim opens a malicious email that contains an infected file.
  2. When the user opens the attachment, a malicious script is run on the computer. This script downloads and executes the ransomware onto the computer. Once the ransomware is installed, it will begin to encrypt the user’s files and folders.
  3. AvosLocker ransomware uses polymorphic techniques to change its code to evade detection by antivirus software that may be installed on the victim’s computer. It also uses anti-debugging techniques to make it harder for researchers to analyze its code. Often, the ransomware group uses legitimate anti-debugging services to hide its malicious activities.
  4. Once the files are encrypted, a ransom note is displayed on the user’s computer, which demands a ransom payment in order to decrypt the files. The ransom note typically provides instructions on how to pay the ransom and may include links to a payment website. The ransom note may also contain threats to delete the user’s files if the ransom is not paid.
  5. In addition to encrypting files, the AvosLocker ransomware also attempts to delete system restore points, shadow copies, and any backups that the user may have. This prevents the user from recovering their files without paying the ransom.

AvosLocker Vulnerabilities

Securin experts identified a set of 15 vulnerabilities associated with AvosLocker. Let us take a closer look at the vulnerabilities.
1. CVE-2018-19320 – ​The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08; could allow a local attacker to take complete control of the affected system.

Trending | CISA KEV | 3 Ransomware Associations
CVSS v2 – 7.20, CVSS v3- 7.80, Securin VRS – 8.66

2. CVE-2021-44228 –  Log4Shell vulnerability; An attacker who can control log messages or log message parameters can execute arbitrary code under specific conditions.

Trending | CISA KEV| 10 Ransomware Associations | 14 APT Associations
CVSS v2 – 9.30, CVSS v3 – 10.00, Securin VRS – 10

3. CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0;  allows an attacker with control over Thread Context Map data to cause a denial of service.

Trending | 1 Ransomware Association | 1 APT Association
CVSS v2 – 4.30, CVSS v3 – 5.90, Securin VRS – 7.86

4. CVE-2021-45046 – It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to manipulate input data when the logging configuration uses specific non-default options, resulting in an information leak and remote code execution in some environments and local code execution in all environments.

Trending | CISA KEV | 1 Ransomware Association | 3 APT Associations
CVSS v2 -5.10, CVSS v3 – 9.00, VRS – 8.19

5. CVE-2021-44832 – Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack under specific configurations.

Trending | 1 Ransomware Association | 2 APT Associations
CVSS v2 – 8.50, CVSS v3 – 6.60, Securin VRS – 7.45

6. CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability

Trending | CISA KEV | 9 Ransomware Associations | 17 APT Associations
CVSS v2 – 7.50, CVSS v3 – 9.1. VRS – 9.91

7. CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability

Trending | CISA KEV | 14 Ransomware Associations | 9 APT Associations
CVSS v2 – 6.5, CVSS v3 – 6.6, Securin VRS – 8.44

8. CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability

Trending | CISA KEV | 13 Ransomware Associations | 12 APT Associations
CVSS v2 – 10, CVSS v3 – 9.1, Securin VRS – 9.91

9. CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

Trending | CISA KEV | 13 Ransomware Associations | 10 APT Associations
CVSS v2 – 7.5, CVSS v3 – 9, VRS – 9.51

10. CVE-2021-40539 – ​Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Trending | CISA KEV | 2 Ransomware Associations | 2 APT Associations
CVSS V2 – 7.5, CVSS v3 – 9.8, Securin VRS – 9.98

11. CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability

Trending | 1 Ransomware Association
CVSS V2 – 7.9, CVSS v3 – 7.6, Securin VRS – 8.47

12. CVE-2021-26134 – Confluence Server and Data Center; would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

Trending | CISA KEV | 2 Ransomware Associations | 6 APT Associations
CVSS V2 – 7.5, CVSS v3 – 9.8, Securin VRS – 9.96

13. CVE-2021-27876-​An issue in Veritas Backup Exec before 21.2. A vulnerability in the SHA Authentication scheme allows an attacker to gain unauthorized access, and execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges.

Trending | CISA KEV | 2 Ransomware Associations
CVSS V2 – 7.5, CVSS v3 – 8.1, Securin VRS – 9.52

14. CVE-2021-27877 – ​An issue in Veritas Backup Exec before 21.2 which supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn’t yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an agent and execute privileged commands.

Trending | CISA KEV | 2 Ransomware Associations
CVSS V2 – 7.5, CVSS v3 – 9.8, Securin VRS – 9.98

15. CVE-2021-27878 – ​An issue in Veritas Backup Exec before 21.2, could allow an attacker to gain unauthorized access, complete the authentication process, or use one of the data management protocol commands to execute an arbitrary command on the system using system privileges.

Trending | CISA KEV | 2 Ransomware Associations
CVSS V2 – 9, CVSS v3 – 8.8, Securin VRS – 9.6

16. CVE-2022-26501 – ​Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

Trending | CISA KEV | 2 Ransomware Associations
CVSS V2 – 10, CVSS v3 – 9.8, Securin VRS – 9.96

17. CVE-2022-26500 – ​Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

Trending | CISA KEV | 2 Ransomware Associations
CVSS V2 – 6.5, CVSS v3 – 8.8, Securin VRS – 8.46

Multiple Products Affected by Ransomware Vulnerabilities

CVE-2021-44228: A high-risk vulnerability rated critical in CVSS V3 (10) exists in Apache Log4j. This vulnerability exists in 176 products from 21 vendors. Notable among them are vendors such as Oracle, Red Hat, Apache, Novell, Amazon, Cisco, SonicWall, and others. This RCE vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night Sky, Cheerscrypt, and TellYouThePass. This vulnerability, too, is a point of interest for hackers and has been trending since December 2022, which is probably why CISA has included it as part of the CISA KEV catalog.


CVE-2021-45046: This high-risk vulnerability is rated critical in CVSS V3 (9), and it exists in 16 vendors and 93 products. Notable among the vendors that are vulnerable to this CVE are Intel, Apache, NetApp, Red Hat, and many others. This vulnerability was newly associated with the AvosLocker ransomware in 2022 and has been trending since December 12, 2022. While our researchers have been tracking this vulnerability as a threat since December 2021, it was added to the CISA KEVs more than a year later, in March 2023.

Attack Methodology

  • The victim opens a malicious email that contains an infected file. 

  • When the user opens the attachment, a malicious script is run on the computer. This script downloads and executes the ransomware onto the computer. Once the ransomware is installed, it will begin to encrypt the user’s files and folders.

  • AvosLocker ransomware uses polymorphic techniques to change its code to evade detection by antivirus software that may be installed on the victim’s computer. It also uses anti-debugging techniques to make it harder for researchers to analyze its code. Often, the ransomware group uses legitimate anti-debugging services to hide its malicious activities.

  • Once the files are encrypted, a ransom note is displayed on the user’s computer, which demands a ransom payment in order to decrypt the files. The ransom note typically provides instructions on how to pay the ransom and may include links to a payment website. The ransom note may also contain threats to delete the user’s files if the ransom is not paid.

  • In addition to encrypting files, the AvosLocker ransomware also attempts to delete system restore points, shadow copies, and any backups that the user may have. This prevents the user from recovering their files without paying the ransom.

AvosLocker MITRE Map and IoCs

Initial Access

T1190 Exploit public-facing application

T1078 Valid accounts

Execution

T1059 Command and scripting interpreter

T1072 Software deployment tools

Persistence

T1136  Create account

T1547 Boot or logon autostart execution

Defense Evasion

T1112 Modify registry

T1562 Impair defenses

T1140 Deobfuscate/Decode files or information

T1070 Indicator removal on host

Credential Access

T1003 OS credential dumping

T1552 Unsecured credentials

T1555 Credentials from password stores

Discovery

T1083 File and directory discovery

T1135 Network share discovery

T1057 Process discovery

T1018 Remote system discovery

Lateral Movement

T1021 Remote services

T1072 Software deployment tools

Command and Control T1219 Remote access software
Impact

T1436 Data encrypted for impact

T1489 Service stop

T1490 Inhibit system recovery

T1491 Defacement

Indicators of Compromise

Key Value
Platform Windows
Linux
EXSi
Language C++
Encrypting Algo’s RSA
AES-256(Toencryptfiles)
ChaCha20Algof
encry ptencrypteddata
Mutex Name ievah8eVki3Ho4oo
API’s

Webshell
MoveFileW
RMStartSession
RmRegisterResources
RmGetList(toaccessthefilesf
encryption)
WNetOpenEnumA
WNetEnumResourceA

WNetAddConnection2A(toenumerate
encryptthenetw
kresources)

DLL’s api-ms-win-c
e-datetime-l1-1-1
api-ms-win-c
e-file-l1-2-2
api-ms-win-c
e-localization-l1-2-1
api-ms-win-c
e-localization-obsolete-l1-2-0
api-ms-win-c
e-processthreads-l1-1-2
api-ms-win-c
e-string-l1-1-0
api-ms-win-c
e-sysinfo-l1-2-1
api-ms-win-c
e-winrt-l1-1-0
api-ms-win-c
e-xstate-l2-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
api-ms-win-appmodel-runtime-l1-1-2
AvosLocker Using Tools to Access Device/Host CobaltStrike
EncodedPowerShellscripts(publiclyavailabletool)
PuTTYSecureCopyclienttool“pscp.exe”
Rclone
Anydesk
Scanner
AdvancedIPscanner
WinLister
Chisel
PDQDeploy(PDQDeploytopushoutWindowsbatchscriptstomachinestheyplannedtotarget.)
Affected File Extensions ndoc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, ai, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, pl, vb, vbs, ps1, bat, cmd, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, dat
AvosLocker Encrypted Files Extension .avos
.avos2
AvosLinux
Batch Scripts of AvosLocker

execute.bat
Love.bat
Update.bat
lock.bat

Virus Names to be Used by Avoslocker Ransom:MSIL/ApisCrypt
.PAA!MTB
Trojan-Banker.Win32.NeutrinoPOS.bnq
MSIL/Filecoder.NR
Sites http://avosxxxxxxxx.onion
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Note File after Encryption GET_YOUR_FILES_BACK.txt(windows)
README_F
_REST
E.txt(Linux)
Hash 256 cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6
10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4
e9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a
e737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721
cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856
7731a9e1e5fff9d912b1d238dcd92c2ba671a5ea55441bb7f14b05ed40039ce1
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
a58864dd006f0528f890c9e000e660f65ffe041ebd2bcb45903fb0228321cfb2
05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5
C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02
6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731
da6e60b4e39c6c556836a18a09a52cd83c47f9cf6dc9e3ad298cbcb925a62a96
373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386
fc55f8b61cb79f2b85b8bf35ff1b80f49fc61a860aca7729f35449df4928cd9b
0c50992b87ba354a256dfe4356ffa98c8bc5dd231dab0a4dc64413741edb739b
5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e
be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70
33203ecb5c34c45dacf64c42c3a24cd4aeb2ceb26b0c58ba97fc8f33319da91b
3b58516758466c8129c4899f07e1e50ca98d913f7c13665aa446c75325b7c5d8
Hash SHA 1 05c63ce49129f768d31c4bdb62ef5fb53eb41b54
6f110f251860a7f6757853181417e19c28841eb4
9c8f5c136590a08a3103ba3e988073cfd5779519
e8c26db068914df2083512ff8b24a2cc803ea498
dab33aaf01322e88f79ffddcbc95d1ad9ad97374
e60ef891027ac1dade9562f8b1de866186338da1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
2f3273e5b6739b844fe33f7310476afb971956dd
f6f94e2f49cd64a9590963ef3852e135e2b8deba
Hash MD5 e09183041930f37a38d0a776a63aa673
d3cafcd46dea26c39dec17ca132e5138
f659d1d15d2e0f3bd87379f8e88c6b42
afed45cd85a191fe3b2543e3ae6aa811
31f8eedc2d82f69ccc726e012416ce33
a39b4bea47c4d123f8195a3ffb638a1b
504bd1695de326bc533fde29b8a69319
eb45ff7ea2ccdcceb2e7e14f9cc01397
d285f1366d0d4fdae0b558db690497ea
cf0c2513b6e074267484d204a1653222
AvosLocker Service Name Ransom.Win32.AVOSLOCKER.SMYXBLNT
Ransom.Win32.AVOSLOCKER.YPBLU

Prevent Ransomware Attacks by Securing Your Attack Surface

Safeguarding networks against threats such as the AvosLocker ransomware requires a proactive and multi-faceted approach. By implementing robust cybersecurity practices, staying informed about the latest threats, and maintaining a diligent backup strategy, you can significantly reduce the risk of falling victim to this malicious software.

Remember to regularly update your operating system and software, use reliable antivirus programs, and exercise caution when clicking on links or downloading attachments. Additionally, fostering a culture of cybersecurity awareness within your organization or among your peers is crucial for creating a collective defense against ransomware attacks.

Worried about ransomware vulnerabilities in your network?

Talk with our experts to identify weak-points and vulnerabilities.

Share This Post On