Though REvil, LockBit and Conti ruled the limelight in most of 2021 and 2022, one ransomware group that slipped the prying eyes of cybersecurity experts was AvosLocker ransomware. AvosLocker took advantage of the circumstances and developed into a deadly adversary by targeting critical infrastructure in different sectors of the US, Canada, UK and Spain in 2021. Their clever use of conventional tactics makes it a ransomware variant still worth monitoring today. Read on to find out more about the ransomware as a service (RaaS) group.

AvosLocker ransomware affects a large number of users worldwide and usually targets computers of home, corporate and large organizational users running Microsoft Windows operating systems, including Windows XP, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, and Windows Server 2008. It has been reported to have infected over 100,000 computers since mid-2021, making it one of the most dangerous ransomware strains currently in circulation.

Amongst the various techniques AvosLocker has been reported to use to spread itself, the use of email attachments, malicious links, malicious files, and exploiting known vulnerabilities in software, and even linking malicious advertisements on websites,  expands their outreach tremendously.

In This Article

AvosLocker Vulnerabilities

Securin experts identified a set of 12 vulnerabilities associated with AvosLocker. Let us take a closer look at the vulnerabilities.

 

  1. CVE-2018-19320 – The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 – 3 Ransomware / 0 APT – CISA KEV, Trending

                                                                               CVSS v2 – 7.20 | CVSS v3- 7.80 | Securin VRS – 8.66

2. CVE-2021-44228 – Log4Shell vulnerability – 7 Ransomware / 10 APT – CISA KEV, Trending

                                                                                        CVSS v2 – 9.30 | CVSS v3 – 10.00 | Securin VRS – 9.98

3. CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 – 1 APT / 1 Ransomware – Trending

                                                                                         CVSS v2 – 4.30 | CVSS v3 – 5.90 | Securin VRS – 7.84

4. CVE-2021-45046 – It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. – 1 Ransomware / 3 APT – Trending

                                                                                          CVSS v2 -5.10 | CVSS v3 – 9.00 | Securin VRS – 8.1

5. CVE-2021-44832 – Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). 1 Ransomware / 2 APT – Trending

                                                                                            CVSS v2 – 8.50 | CVSS v3 – 6.60 | Securin VRS – 7.44

6. CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability – 7 Ransomware / 15 APT – CISA KEV, Trending

                                                                                                 CVSS v2 – 7.50 | CVSS v3 – 9.80 | Securin VRS – 9.96

7. CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability – 13 Ransomware / 7 APT – CISA KEV, Trending

                                                                                               CVSS v2 – 6.50 | CVSS v3 – 7.20 | Securin VRS – 9.06

8. CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability – 12 Ransomware / 8 APT – CISA KEV, Trending

                                                                                                   CVSS v2 – 10 | CVSS v3 – 9.8 | Securin VRS – 9.96

9. CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability – 12 Ransomware / 8 APT – CISA KEV, Trending

                                                                                          CVSS v2 – 7.50 |  CVSS v3 – 9.80 |  Securin VRS – 9.96

10. CVE-2021-40539 – Zoho ManageEngine ADSelfService Plus – 1 Ransomware / 2 APT – CISA KEV, Trendig

                                                                                                  CVSS v2 – 7.5 | CVSS v3 – 9.8 | Securin VRS – 9.96

11. CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability – 1 Ransomware / 0 APT – Trending

                                                                                                    CVSS v2 – 7.90 | CVSS v3 – 8.00 | Securin VRS – 8.36

12. CVE-2021-26134 – Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. – 2 Ransomware / 5 APT – CISA KEV, Trending

                                                                                                    CVSS v2 – 7.50 | CVSS v3 – 9.80 | Securin VRS – 9.96

Interesting Trends

  • Using AnyDesk: A notable characteristic of AvosLocker campaigns is the use of AnyDesk, a remote desktop administration tool, to connect to victim machines. Operators can manually operate and infect machines using this tool.

  • Runs on Safe Mode: A key element of AvosLocker is being able to run itself on safe mode as part of its evasion tactics. This technique was previously employed by the now defunct REvil ransomware group. The attacker is able to restart the victim’s machines, disable specific drivers and run on safe mode, since most security measures cannot run on this mode. Often, the operators set up drivers to ensure AnyDesk can be run on safe mode as well. 

  • Auctioning Stolen Data: AvosLocker operators use another tactic borrowed from the REvil playbook in order to monetize a single successful attack or salvage a failed one–auctioning stolen data on its website on top of its double extortion scheme. Launching multiple versions of the same ransomware: AvosLocker operators released several versions of their ransomware, with the latest one being a Linux variant, launched in October 2021, that is capable of attacking ESXi virtual machines (VMs).

Attack Methodology

  • The victim opens a malicious email that contains an infected file. 

  • When the user opens the attachment, a malicious script is run on the computer. This script downloads and executes the ransomware onto the computer. Once the ransomware is installed, it will begin to encrypt the user’s files and folders.

  • AvosLocker ransomware uses polymorphic techniques to change its code to evade detection by antivirus software that may be installed on the victim’s computer. It also uses anti-debugging techniques to make it harder for researchers to analyze its code. Often, the ransomware group uses legitimate anti-debugging services to hide its malicious activities.

  • Once the files are encrypted, a ransom note is displayed on the user’s computer, which demands a ransom payment in order to decrypt the files. The ransom note typically provides instructions on how to pay the ransom and may include links to a payment website. The ransom note may also contain threats to delete the user’s files if the ransom is not paid.

  • In addition to encrypting files, the AvosLocker ransomware also attempts to delete system restore points, shadow copies, and any backups that the user may have. This prevents the user from recovering their files without paying the ransom.

AvosLocker MITRE Map and IoCs

MITRE MAP:

Initial Access

T1190 Exploit public-facing application

T1078 Valid accounts

Execution

T1059 Command and scripting interpreter

T1072 Software deployment tools

Persistence

T1136  Create account

T1547 Boot or logon autostart execution

Defense Evasion

T1112 Modify registry

T1562 Impair defenses

T1140 Deobfuscate/Decode files or information

T1070 Indicator removal on host

Credential Access

T1003 OS credential dumping

T1552 Unsecured credentials

T1555 Credentials from password stores

Discovery

T1083 File and directory discovery

T1135 Network share discovery

T1057 Process discovery

T1018 Remote system discovery

Lateral Movement

T1021 Remote services

T1072 Software deployment tools

Command and Control T1219 Remote access software
Impact

T1436 Data encrypted for impact

T1489 Service stop

T1490 Inhibit system recovery

T1491 Defacement

Indicators of Compromise

Key Value
Platform Windows
Linux
EXSi
Language C++
Encrypting Algo’s RSA
AES-256(Toencryptfiles)
ChaCha20Algof
encry ptencrypteddata
Mutex Name ievah8eVki3Ho4oo
API’s

Webshell
MoveFileW
RMStartSession
RmRegisterResources
RmGetList(toaccessthefilesf
encryption)
WNetOpenEnumA
WNetEnumResourceA

WNetAddConnection2A(toenumerate
encryptthenetw
kresources)

DLL’s api-ms-win-c
e-datetime-l1-1-1
api-ms-win-c
e-file-l1-2-2
api-ms-win-c
e-localization-l1-2-1
api-ms-win-c
e-localization-obsolete-l1-2-0
api-ms-win-c
e-processthreads-l1-1-2
api-ms-win-c
e-string-l1-1-0
api-ms-win-c
e-sysinfo-l1-2-1
api-ms-win-c
e-winrt-l1-1-0
api-ms-win-c
e-xstate-l2-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
api-ms-win-appmodel-runtime-l1-1-2
AvosLocker Using Tools to Access Device/Host CobaltStrike
EncodedPowerShellscripts(publiclyavailabletool)
PuTTYSecureCopyclienttool“pscp.exe”
Rclone
Anydesk
Scanner
AdvancedIPscanner
WinLister
Chisel
PDQDeploy(PDQDeploytopushoutWindowsbatchscriptstomachinestheyplannedtotarget.)
Affected File Extensions ndoc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, wks, wk1, pdf, dwg, onetoc2, snt, jpeg, jpg, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, bmp, png, gif, raw, cgm, tif, tiff, nef, psd, ai, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, pl, vb, vbs, ps1, bat, cmd, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der, dat
AvosLocker Encrypted Files Extension .avos
.avos2
AvosLinux
Batch Scripts of AvosLocker

execute.bat
Love.bat
Update.bat
lock.bat

Virus Names to be Used by Avoslocker Ransom:MSIL/ApisCrypt
.PAA!MTB
Trojan-Banker.Win32.NeutrinoPOS.bnq
MSIL/Filecoder.NR
Sites http://avosxxxxxxxx.onion
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Note File after Encryption GET_YOUR_FILES_BACK.txt(windows)
README_F
_REST
E.txt(Linux)
Hash 256 cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6
10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4
e9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a
e737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721
cdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460
7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856
7731a9e1e5fff9d912b1d238dcd92c2ba671a5ea55441bb7f14b05ed40039ce1
794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
a58864dd006f0528f890c9e000e660f65ffe041ebd2bcb45903fb0228321cfb2
05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5
C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02
6584cd273625ee121e330a981cc04e1f1d312356c9cccdb62932ea7aad53a731
da6e60b4e39c6c556836a18a09a52cd83c47f9cf6dc9e3ad298cbcb925a62a96
373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386
fc55f8b61cb79f2b85b8bf35ff1b80f49fc61a860aca7729f35449df4928cd9b
0c50992b87ba354a256dfe4356ffa98c8bc5dd231dab0a4dc64413741edb739b
5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e
be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70
33203ecb5c34c45dacf64c42c3a24cd4aeb2ceb26b0c58ba97fc8f33319da91b
3b58516758466c8129c4899f07e1e50ca98d913f7c13665aa446c75325b7c5d8
Hash SHA 1 05c63ce49129f768d31c4bdb62ef5fb53eb41b54
6f110f251860a7f6757853181417e19c28841eb4
9c8f5c136590a08a3103ba3e988073cfd5779519
e8c26db068914df2083512ff8b24a2cc803ea498
dab33aaf01322e88f79ffddcbc95d1ad9ad97374
e60ef891027ac1dade9562f8b1de866186338da1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
2f3273e5b6739b844fe33f7310476afb971956dd
f6f94e2f49cd64a9590963ef3852e135e2b8deba
Hash MD5 e09183041930f37a38d0a776a63aa673
d3cafcd46dea26c39dec17ca132e5138
f659d1d15d2e0f3bd87379f8e88c6b42
afed45cd85a191fe3b2543e3ae6aa811
31f8eedc2d82f69ccc726e012416ce33
a39b4bea47c4d123f8195a3ffb638a1b
504bd1695de326bc533fde29b8a69319
eb45ff7ea2ccdcceb2e7e14f9cc01397
d285f1366d0d4fdae0b558db690497ea
cf0c2513b6e074267484d204a1653222
AvosLocker Service Name Ransom.Win32.AVOSLOCKER.SMYXBLNT
Ransom.Win32.AVOSLOCKER.YPBLU

Products Affected by AvosLocker Ransomware Vulnerabilities

There are two vulnerabilities with a significant number of products affected. Both vulnerabilities are exploited by AvosLocker. Here are the products these vulnerabilities affect:


CVE-2021-44228
: A high-risk vulnerability rated critical in CVSS v3 (10) exists in Apache Log4j. This vulnerability exists in 176 products from 21 vendors. Notable among them are vendors such as Oracle, Red Hat, Apache, Novell, Amazon, Cisco, SonicWall, and others. This remote code execution vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night Sky, Cheerscrypt, and TellYouThePass. This vulnerability, too, is a point of interest for hackers and was found trending as of December 10, 2022, which is probably why CISA has included it as part of the CISA KEV catalog.

CVE-2021-45046: This high-risk vulnerability is rated critical in CVSS v3 (9), and it exists in 16 vendors and 93 products. Notable among the vendors that are vulnerable to this CVE are Intel, Apache, NetApp, Red Hat, and many others. This vulnerability was newly associated with the AvosLocker ransomware in 2022 and had been trending since December 12, 2022. CISA has not prioritized this vulnerability as a KEV yet, but Securin experts highly recommended that CISA adds it to the catalog.

How We Can Help?

Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 359 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware reports and Ransomware Assessment service that can help organizations increase their security posture.

Share This Post On