| Category | Details | References |
|---|---|---|
| Actors | ||
| First Observed | June 2021 | 1 |
| Threat Actors | TBD | |
| Environment | ||
| Platforms | Windows and Linux (EXSi) | 2 |
| Artifacts | ||
| Extensions | .avos .avos2 | 2 |
| Ransomware Notes | GET_YOUR_FILES_BACK.txt | 2 |
| Services It Disables | Terminates at least 22 named processes | 3 |
| Other Observables | RaaS payments are only accepted through Monero In order to execute on safe mode, it adds a RunOnce registry entry under autostart. Further investigation revealed multiple ways AvosLocker can be executed via the RunOnce registry, which are the following: - Direct execution of the ransomware payload - Execute a PowerShell script that will download and execute the ransomware payload -Execute a PowerShell script that will decode and execute the ransomware payload from a disguised .jpg file. | 4 3 |
| Automation | ||
| Automatically Gains Access | No | 3 |
| Automatically Escalates Privileges | No | |
| Requires Human Interaction | No. Requires some level of human interaction | 5 |
| Automatic Exfiltration | No. Adversaries have been observed using rclone | 6 |
| Automatic Propagation | No. Scans for hidden and/or network shares and attempts to mount/encrypt them, but does not automatically propagte to other desktops/servers | 5 |
Please note, this page was last updated at 2023-03-14 20:21.
-
https://duo.com/decipher/avoslocker-ransomware-attack-targeted-log4j-bug-in-vmware-horizon ↩
-
https://www.avertium.com/resources/threat-reports/in-depth-look-at-avoslocker-ransomware ↩ ↩2 ↩3
-
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker ↩ ↩2 ↩3
-
https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners ↩
-
https://cyberint.com/blog/research/avoslocker-the-rising-star-of-ransomware/ ↩ ↩2
-
https://www.picussecurity.com/resource/avos-locker-ransomware-group ↩