During our routine Open-source Intelligence (OSINT) research, we came across a new ransomware group named AvosLocker. It is a malicious program that infects Windows machines to encrypt document files of the victim and asks for ransom as part of its extortion program. AvosLocker appends the encrypted files with the extension .avos and forces victims to pay ransom for the decryption tool for recovering their data. The AvosLocker ransomware group uses spam email campaigns or distrustful advertisements as the primary delivery mechanisms for the malware. It uses a customized Advanced Encryption Standard (AES) with block size 256 to encrypt the data.
The AvosLocker ransomware group is publishing the name of the latest victims and their stolen data on their leak website, hxxp://avosxxxxxxxxxxxxxx[.]onion/
On their leak website, the ransomware group maintains two sections called “Public Service Announcements” and “Leaks.”
Figure 1 Blog belonging to AvosLocker ransomware group
In the “Public Service Announcements” section, the ransomware group releases the names of their latest victims along with proof of the stolen data.
Figure 2 Public Service Announcements section is used for publishing the names of latest victims
The ransomware group has been active in the market since June 1, 2021. Based on their blog posts, our team has created a timeline of the attacks by the group. The image below showcases their victims and when the data was leaked.
Figure 3 Timeline of the AvosLocker Ransomware Group Activity
Surface Web Analysis
A user name “avos” has posted the details about AvosLocker ransomware on Cafedreed, a free speech forum. The user has been looking for affiliates besides providing features about the AvosLocker, listed below.
| Sr. No | Features |
| 1 | Ability to encrypt all drives & network shares (hidden or not) |
| 2 | Multi-threaded encryption process |
| 3 | Fail-proof |
| 4 | Ability to overwrite files instead of creating copies: Files are encrypted & overwritten in blocks, causing no memory issues while proving to be way more efficient, as the original files do not need to be overwritten before deletion. |
| 5 | Delete shadow copies/backups |
| 6 | Proper memory cleaning of cryptography keys: Memory is cleansed of any keys that may be used in decryption right after each file is encrypted. No trace of decryption keys will be found in memory. |
| 7 | Written in C++ |
| 8 | Low detection rate |
| 9 | Compatible with all crypters/evading methods |
| 10 | Other applications interfering with encryption are terminated instantly |
| 11 | Large file support |
Table 1 AvosLocker Features
Based on the post, the user appears to be a part of the AvosLocker Ransomware group. In addition to sharing features of the ransomware, the user has also provided further details regarding their capabilities, payment details, and the services they offer their affiliates. These include negotiation with victims, hosting of leaks, and publishing it on their blog, among others.
Table 2 Services provided by the AvosLocker Gang
| XMPP | avos@thesecure.biz |
| Tox | 9A751AC90A5F020521EE40D58208C272BD18D2E0C934AB6DA9B918627578095 CD9847E24CE59 |
| avos@mail2tor.com |
Table 2 Contact information of the AvosLocker group
Our investigation led to a post on BleepingComputer, wherein a user named “OPASCC” created a thread seeking help and claiming to be under attack by the AvosLocker Ransomware. The post also includes a few details about the attack, such as encrypted file extension, as shown in the figure below.
Figure 4 Sample encrypted files taken from BleepingComputer forum
Like other ransomware, AvosLocker also drops a ransom note named “GET_YOUR_FILES_BACK.txt”. In the ransom note, victims are instructed by the group to visit the website “hxxp://avos2fuj6olx6xxxx[.]onion” for further details like the ransom amount and the mode of payment, etc.
Figure 5 Ransom note content taken from Bleepingcomputer forum.
Once victims submit their unique “ID” to the ransomware group’s website, they are redirected to the “/payment” page, as shown below.
Figure 6 Ransomware group payment page
The ransomware group has provided a short description along with three key components on their payment page.
- Count Down – It is a timer that shows victims how much time they have before the ransom gets doubled.
- Test Decryption – This enables the victim to upload an encrypted sample file and check whether the ransomware group can successfully decrypt it.
- Support Module – This allows the victim to interact with a support bot.
Figure 7 Payment Page of AvosLocker Ransomware group – Part 1
The group payment page also includes the ransom that needs to be paid by the victims in accepted currency XMR (MONERO) and QR scanner code, along with the ID of ransomware group as shown in the below figure.
Figure 8 Payment Page of AvosLocker Ransomware group – Part 2
Presently, the AvosLocker ransomware sample has not been released on the surface web, and our researchers are continuously monitoring the activities of the group.
Conclusion
Ransomware groups are a substantial threat to enterprises and individuals, making it essential for organizations to stay ahead of the techniques used by them. Victims of ransomware are at the risk of losing their valuable data, in addition to experiencing financial loss and loss of productivity.
The Cyble Research Labs is continuously monitoring AvosLocker’s extortion campaign, and we will keep updating our readers with new information as and when we find it.
Our Recommendations
We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques:
| Tactic | Technique ID | Technique Name |
| Initial access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Discovery | T1082 | System Information Discovery |
| Impact | T1490 T1489 T1486 | Inhibit System Recovery Service Stop Data Encrypted for Impact |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| hxxp://avos2fuj6olp6x36[.]onion | Tor URL | Payment Website |
| .avos | Extension | Encryption File Extension |
| GET_YOUR_FILES_BACK.txt | Ransom Note | Ransom Note |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
