AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo.
Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems.
As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.
(AvosLocker Tor Site)
Analyzing AvosLocker
(AvosLocker ransom note)
Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.
(AvosLocker payment page)
Once access is granted, AvosLocker provides a clean user interface that displays four main components:
- Countdown Timer – Displays time left before the ransom is doubled.
- Test Decryption – A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
- Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
- Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).
(AvosLocker is paid via MONERO cryptocurrency)
Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.
AvosLocker Press Release Onion Service on the Tor network (captured October 20, 2021)
Within seconds of an infection, IBM Security ReaQta is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.
Running the attack
ReaQta’s Behavioural Tree showing the AvosLocker ransomware
ReaQta is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.
AvosLocker is automatically stopped by ReaQta within seconds
ReaQta was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.
Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.
To learn more about how organizations can defend against evolving ransomware attacks, please apply for a demonstration or read more
here.