SYMBOLCOMMON_NAMEaka. SYNONYMS
win.avos_locker (Back to overview)

AvosLocker


AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

References
2022-06-21Cisco TalosFlavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-02Trend MicroChristoper Ordonez, Alvin Nieto
@online{ordonez:20220502:avoslocker:3e0cddd, author = {Christoper Ordonez and Alvin Nieto}, title = {{AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell}}, date = {2022-05-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html}, language = {English}, urldate = {2022-05-04} } AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
AvosLocker
2022-05-02LIFARSVlad Pasca
@techreport{pasca:20220502:deep:e3a4dd8, author = {Vlad Pasca}, title = {{A Deep Dive into AvosLocker Ransomware}}, date = {2022-05-02}, institution = {LIFARS}, url = {https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf}, language = {English}, urldate = {2022-05-08} } A Deep Dive into AvosLocker Ransomware
AvosLocker
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-07BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220407:threat:d5d3259, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: AvosLocker Prompts Advisory from FBI and FinCEN}}, date = {2022-04-07}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen}, language = {English}, urldate = {2022-04-15} } Threat Thursday: AvosLocker Prompts Advisory from FBI and FinCEN
Avoslocker AvosLocker
2022-04-04Trend MicroTrend Micro Research
@online{research:20220404:ransomware:3ed5da4, author = {Trend Micro Research}, title = {{Ransomware Spotlight: AvosLocker}}, date = {2022-04-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker}, language = {English}, urldate = {2022-04-07} } Ransomware Spotlight: AvosLocker
AvosLocker
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-17IC3FINCEN, FBI, U.S. Department of the Treasury
@techreport{fincen:20220317:indicators:4c36c4d, author = {FINCEN and FBI and U.S. Department of the Treasury}, title = {{Indicators of Compromise Associated with AvosLocker Ransomware}}, date = {2022-03-17}, institution = {IC3}, url = {https://www.ic3.gov/Media/News/2022/220318.pdf}, language = {English}, urldate = {2022-03-22} } Indicators of Compromise Associated with AvosLocker Ransomware
Avoslocker AvosLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-06QualysGhanshyam More
@online{more:20220306:avoslocker:6a51fd8, author = {Ghanshyam More}, title = {{AvosLocker Ransomware Behavior Examined on Windows & Linux}}, date = {2022-03-06}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux}, language = {English}, urldate = {2022-03-10} } AvosLocker Ransomware Behavior Examined on Windows & Linux
Avoslocker AvosLocker
2022-01-17CybleincCyble
@online{cyble:20220117:avoslocker:e72ac8a, author = {Cyble}, title = {{AvosLocker Ransomware Linux Version Targets VMware ESXi Servers}}, date = {2022-01-17}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/}, language = {English}, urldate = {2022-02-01} } AvosLocker Ransomware Linux Version Targets VMware ESXi Servers
Avoslocker AvosLocker
2021-12-22SophosAndrew Brandt, Fraser Howard, Anand Ajjan, Peter Mackenzie, Ferenc László Nagy, Sergio Bestulic, Timothy Easton
@online{brandt:20211222:avos:b09298c, author = {Andrew Brandt and Fraser Howard and Anand Ajjan and Peter Mackenzie and Ferenc László Nagy and Sergio Bestulic and Timothy Easton}, title = {{Avos Locker remotely accesses boxes, even running in Safe Mode}}, date = {2021-12-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/}, language = {English}, urldate = {2021-12-31} } Avos Locker remotely accesses boxes, even running in Safe Mode
AvosLocker
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-23Malwarebyteshasherezade
@online{hasherezade:20210723:avoslocker:54f3a60, author = {hasherezade}, title = {{AvosLocker enters the ransomware scene, asks for partners}}, date = {2021-07-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/}, language = {English}, urldate = {2021-07-26} } AvosLocker enters the ransomware scene, asks for partners
AvosLocker
Yara Rules
[TLP:WHITE] win_avos_locker_auto (20230407 | Detects win.avos_locker.)
rule win_avos_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.avos_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a64 8d8df4fcffff e8???????? 8885f5fcffff 6a69 8d8df4fcffff e8???????? }
            // n = 7, score = 100
            //   6a64                 | push                0x64
            //   8d8df4fcffff         | lea                 ecx, [ebp - 0x30c]
            //   e8????????           |                     
            //   8885f5fcffff         | mov                 byte ptr [ebp - 0x30b], al
            //   6a69                 | push                0x69
            //   8d8df4fcffff         | lea                 ecx, [ebp - 0x30c]
            //   e8????????           |                     

        $sequence_1 = { 6a00 57 c7430401000000 c7430801000000 c703???????? 897dd4 e8???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   57                   | push                edi
            //   c7430401000000       | mov                 dword ptr [ebx + 4], 1
            //   c7430801000000       | mov                 dword ptr [ebx + 8], 1
            //   c703????????         |                     
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   e8????????           |                     

        $sequence_2 = { 56 57 6800000100 c744241c5a003a00 c74424205c000000 c744241800000000 e8???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   6800000100           | push                0x10000
            //   c744241c5a003a00     | mov                 dword ptr [esp + 0x1c], 0x3a005a
            //   c74424205c000000     | mov                 dword ptr [esp + 0x20], 0x5c
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   e8????????           |                     

        $sequence_3 = { 6a74 8d8d58fbffff e8???????? 88857afbffff 6a68 8d8d58fbffff e8???????? }
            // n = 7, score = 100
            //   6a74                 | push                0x74
            //   8d8d58fbffff         | lea                 ecx, [ebp - 0x4a8]
            //   e8????????           |                     
            //   88857afbffff         | mov                 byte ptr [ebp - 0x486], al
            //   6a68                 | push                0x68
            //   8d8d58fbffff         | lea                 ecx, [ebp - 0x4a8]
            //   e8????????           |                     

        $sequence_4 = { 8b4508 8b4018 99 8945f8 8b4de0 8b45e8 8b0c8de85e4c00 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   99                   | cdq                 
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b0c8de85e4c00       | mov                 ecx, dword ptr [ecx*4 + 0x4c5ee8]

        $sequence_5 = { 85c0 0f853d010000 eb74 80f975 754e a900080000 7447 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f853d010000         | jne                 0x143
            //   eb74                 | jmp                 0x76
            //   80f975               | cmp                 cl, 0x75
            //   754e                 | jne                 0x50
            //   a900080000           | test                eax, 0x800
            //   7447                 | je                  0x49

        $sequence_6 = { 32c0 8bcb 5e 8845a3 884590 e8???????? eb19 }
            // n = 7, score = 100
            //   32c0                 | xor                 al, al
            //   8bcb                 | mov                 ecx, ebx
            //   5e                   | pop                 esi
            //   8845a3               | mov                 byte ptr [ebp - 0x5d], al
            //   884590               | mov                 byte ptr [ebp - 0x70], al
            //   e8????????           |                     
            //   eb19                 | jmp                 0x1b

        $sequence_7 = { 6a5f 8d8d04efffff e8???????? 888520efffff 6a46 8d8d04efffff e8???????? }
            // n = 7, score = 100
            //   6a5f                 | push                0x5f
            //   8d8d04efffff         | lea                 ecx, [ebp - 0x10fc]
            //   e8????????           |                     
            //   888520efffff         | mov                 byte ptr [ebp - 0x10e0], al
            //   6a46                 | push                0x46
            //   8d8d04efffff         | lea                 ecx, [ebp - 0x10fc]
            //   e8????????           |                     

        $sequence_8 = { 33c5 50 8d45f4 64a300000000 894df0 c745fcffffffff 8b7108 }
            // n = 7, score = 100
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b7108               | mov                 esi, dword ptr [ecx + 8]

        $sequence_9 = { 88850cfcffff 6a68 8d8df0fbffff e8???????? 88850dfcffff 6a0a 8d8df0fbffff }
            // n = 7, score = 100
            //   88850cfcffff         | mov                 byte ptr [ebp - 0x3f4], al
            //   6a68                 | push                0x68
            //   8d8df0fbffff         | lea                 ecx, [ebp - 0x410]
            //   e8????????           |                     
            //   88850dfcffff         | mov                 byte ptr [ebp - 0x3f3], al
            //   6a0a                 | push                0xa
            //   8d8df0fbffff         | lea                 ecx, [ebp - 0x410]

    condition:
        7 of them and filesize < 1701888
}
Download all Yara Rules