Avos Locker (Ransomware) – Threat Actor

Overview

Common targets

• Individuals
  
• Eduactional Services
  
• Manufacturing
  
• Health Care and Social Assistance
  
• Retail Trade
  
• Transportation and Warehousing
  
• Information
• United States
  
• China
  
• India
  
• Taiwan
  
• Spain
  
• Botswana
  
• Indonesia
  
• United Kingdom
  
• Canada
  

Attack Vectors

Phishing

How they operate

Upon infiltration, AvosLocker uses a combination of processes to maximize the impact of its attacks. The ransomware is often deployed in Windows Safe Mode, allowing it to bypass running applications and security software, such as antivirus programs, which might otherwise interfere with encryption. The threat actor also takes advantage of specific command line arguments to customize the ransomware’s execution based on the targeted environment. This customization includes the use of mutexes to ensure that only one instance of the ransomware runs at a time, and the selective disabling of networking and other critical functionalities to avoid detection. AvosLocker then targets specific files and processes for termination, ensuring that its encryption process runs uninterrupted, and deletes any potential recovery mechanisms, such as shadow copies, to prevent victims from recovering their data.

The encryption process itself is another critical component of AvosLocker’s technical operation. Once executed, the ransomware scans the infected system and enumerates all drives, including fixed, removable, and network shares. AvosLocker selectively encrypts files based on their extensions, while deliberately excluding certain file types and system files to avoid system instability or detection. Using a combination of AES encryption in CBC mode and RSA encryption to secure the AES key, AvosLocker encrypts the victim’s data while ensuring that the encryption process cannot be easily reversed. This hybrid approach provides an additional layer of security for the threat actor, as it makes the decryption process much more difficult without access to the private RSA key embedded within the ransomware’s binary.

Finally, once the encryption is complete, AvosLocker drops a ransom note on the victim’s system, demanding payment in exchange for the decryption key. The ransomware group also runs a data leak site where they upload stolen proprietary data, further pressuring the victim to comply with the ransom demand to avoid public exposure of their sensitive information. These technical methods, combined with AvosLocker’s ability to adapt to different environments and continuously evolve its attack strategies, make it a highly effective and persistent threat actor in the cybersecurity landscape.

• #StopRansomware: AvosLocker Ransomware (Update)
• A Retrospective on AvosLocker