ALPS blog

Ransomware Spotlight: AvosLocker

AvosLocker is a relatively new ransomware variant that sports the staples of modern ransomware, namely a layered extortion scheme that begins with stolen data. We shed light on this emerging ransomware family and its key techniques.

AvosLocker is one of the newer ransomware families that came to fill the void left by REvil. While not as prominent or active as LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. According to the report, AvosLocker has been targeting critical infrastructure in different sectors of the US, with attacks also observed in other countries like Canada, UK, and Spain. Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.

What do organizations need to know about AvosLocker?

AvosLocker is another variant that runs on a ransomware-as-a-service (RaaS) model. It was first spotted in July 2021 and has since come up with several variants released over time. The following are the key characteristics of AvosLocker:

  • It uses the remote administration tool AnyDesk. One of the notable characteristics of AvosLocker campaigns is its use of AnyDesk, a remote administration tool (RAT) to connect to victim machines. Using this tool, the operator can manually operate and infect the machine.
  • It runs on safe mode. Another key element of AvosLocker is running itself on safe mode as part of its evasion tactics. The attacker restarts the machine, disables certain drivers, and runs on safe mode, thus avoiding certain security measures that are unable to run in this mode. Operators also set up certain drivers to make sure that AnyDesk would run even in safe mode. It is important to note that this was a tactic previously employed by the now defunct REvil.
  • Operators auction stolen data. AvosLocker again takes a leaf from REvil’s page by auctioning stolen data on its site, on top of its double extortion scheme. This could be the group’s way of further monetizing a single successful attack or salvaging a failed one.

As mentioned, AvosLocker operators have also released multiple versions of this ransomware. The tactic of running itself on safe mode was seen in the second version of AvosLocker. Following the trend of targeting Linux machines, AvosLocker also released a Linux variant as advertised by the group on October 2021. This variant is capable of attacking ESXi virtual machines (VMs), which makes it a variant to watch out for.

Operating as an RaaS, the actors behind AvosLocker conduct reconnaissance before each campaign. Actors choose their targets based on their ability to pay the demanded ransom and tailor their attacks accordingly.

In the next sections, we look at which regions and industries the group has targeted most often, based on our detections and information from their leak site.


Featured News