AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .008 | 伪装: Masquerade File Type |
AvosLocker has been disguised as a .jpg file.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
AvosLocker has deobfuscated XOR-encoded strings.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
AvosLocker has been executed via the |
| Enterprise | T1562 | .009 | 妨碍防御: Safe Mode Boot |
AvosLocker can restart a compromised machine in safe mode.[2][4] |
| Enterprise | T1486 | 数据加密以实现影响 |
AvosLocker has encrypted files and network resources using AES-256 and added an |
|
| Enterprise | T1083 | 文件和目录发现 |
AvosLocker has searched for files and directories on a compromised network.[1][2] |
|
| Enterprise | T1489 | 服务停止 |
AvosLocker has terminated specific processes before encryption.[1] |
|
| Enterprise | T1106 | 本机API |
AvosLocker has used a variety of Windows API calls, including |
|
| Enterprise | T1027 | 混淆文件或信息 |
AvosLocker has used XOR-encoded strings.[1] |
|
| .007 | Dynamic API Resolution |
AvosLocker has used obfuscated API calls that are retrieved by their checksums.[1] |
||
| Enterprise | T1529 | 系统关机/重启 |
AvosLocker’s Linux variant has terminated ESXi virtual machines.[2] |
|
| Enterprise | T1124 | 系统时间发现 |
AvosLocker has checked the system time before and after encryption.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
AvosLocker has enumerated shared drives on a compromised network.[1][3] |
|
| Enterprise | T1057 | 进程发现 |
AvosLocker has discovered system processes by calling |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
AvosLocker has hidden its console window by using the |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0018 | C0018 |
During C0018, the threat actors used AvosLocker ransomware to encrypt the compromised network.[4][5] |
References
- Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
- Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
- FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.