SYMBOLCOMMON_NAMEaka. SYNONYMS
win.avos_locker (Back to overview)

AvosLocker


AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

References
2022-06-21Cisco TalosFlavio Costa, Chris Neal, Guilherme Venere
@online{costa:20220621:avos:b60a2ad, author = {Flavio Costa and Chris Neal and Guilherme Venere}, title = {{Avos ransomware group expands with new attack arsenal}}, date = {2022-06-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html}, language = {English}, urldate = {2022-06-22} } Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-02Trend MicroChristoper Ordonez, Alvin Nieto
@online{ordonez:20220502:avoslocker:3e0cddd, author = {Christoper Ordonez and Alvin Nieto}, title = {{AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell}}, date = {2022-05-02}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html}, language = {English}, urldate = {2022-05-04} } AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
AvosLocker
2022-05-02LIFARSVlad Pasca
@techreport{pasca:20220502:deep:e3a4dd8, author = {Vlad Pasca}, title = {{A Deep Dive into AvosLocker Ransomware}}, date = {2022-05-02}, institution = {LIFARS}, url = {https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf}, language = {English}, urldate = {2022-05-08} } A Deep Dive into AvosLocker Ransomware
AvosLocker
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-07BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220407:threat:d5d3259, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: AvosLocker Prompts Advisory from FBI and FinCEN}}, date = {2022-04-07}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen}, language = {English}, urldate = {2022-04-15} } Threat Thursday: AvosLocker Prompts Advisory from FBI and FinCEN
Avoslocker AvosLocker
2022-04-04Trend MicroTrend Micro Research
@online{research:20220404:ransomware:3ed5da4, author = {Trend Micro Research}, title = {{Ransomware Spotlight: AvosLocker}}, date = {2022-04-04}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker}, language = {English}, urldate = {2022-04-07} } Ransomware Spotlight: AvosLocker
AvosLocker
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-17IC3FINCEN, FBI, U.S. Department of the Treasury
@techreport{fincen:20220317:indicators:4c36c4d, author = {FINCEN and FBI and U.S. Department of the Treasury}, title = {{Indicators of Compromise Associated with AvosLocker Ransomware}}, date = {2022-03-17}, institution = {IC3}, url = {https://www.ic3.gov/Media/News/2022/220318.pdf}, language = {English}, urldate = {2022-03-22} } Indicators of Compromise Associated with AvosLocker Ransomware
Avoslocker AvosLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-06QualysGhanshyam More
@online{more:20220306:avoslocker:6a51fd8, author = {Ghanshyam More}, title = {{AvosLocker Ransomware Behavior Examined on Windows & Linux}}, date = {2022-03-06}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux}, language = {English}, urldate = {2022-03-10} } AvosLocker Ransomware Behavior Examined on Windows & Linux
Avoslocker AvosLocker
2022-01-17CybleincCyble
@online{cyble:20220117:avoslocker:e72ac8a, author = {Cyble}, title = {{AvosLocker Ransomware Linux Version Targets VMware ESXi Servers}}, date = {2022-01-17}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/}, language = {English}, urldate = {2022-02-01} } AvosLocker Ransomware Linux Version Targets VMware ESXi Servers
Avoslocker AvosLocker
2021-12-22SophosAndrew Brandt, Fraser Howard, Anand Ajjan, Peter Mackenzie, Ferenc László Nagy, Sergio Bestulic, Timothy Easton
@online{brandt:20211222:avos:b09298c, author = {Andrew Brandt and Fraser Howard and Anand Ajjan and Peter Mackenzie and Ferenc László Nagy and Sergio Bestulic and Timothy Easton}, title = {{Avos Locker remotely accesses boxes, even running in Safe Mode}}, date = {2021-12-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/}, language = {English}, urldate = {2021-12-31} } Avos Locker remotely accesses boxes, even running in Safe Mode
AvosLocker
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-07-23Malwarebyteshasherezade
@online{hasherezade:20210723:avoslocker:54f3a60, author = {hasherezade}, title = {{AvosLocker enters the ransomware scene, asks for partners}}, date = {2021-07-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/}, language = {English}, urldate = {2021-07-26} } AvosLocker enters the ransomware scene, asks for partners
AvosLocker
Yara Rules
[TLP:WHITE] win_avos_locker_auto (20230125 | Detects win.avos_locker.)
rule win_avos_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.avos_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897de4 ff75e8 8d4708 8bc8 8945ec e8???????? c645fc01 }
            // n = 7, score = 100
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   8d4708               | lea                 eax, [edi + 8]
            //   8bc8                 | mov                 ecx, eax
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   e8????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1

        $sequence_1 = { 83c40c ff7628 e8???????? c745fcffffffff f6450801 c706???????? 740b }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   ff7628               | push                dword ptr [esi + 0x28]
            //   e8????????           |                     
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   f6450801             | test                byte ptr [ebp + 8], 1
            //   c706????????         |                     
            //   740b                 | je                  0xd

        $sequence_2 = { 8b55c4 8b75e4 8a84f0304a4c00 88040a 0fb645e0 33c9 41 }
            // n = 7, score = 100
            //   8b55c4               | mov                 edx, dword ptr [ebp - 0x3c]
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   8a84f0304a4c00       | mov                 al, byte ptr [eax + esi*8 + 0x4c4a30]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   0fb645e0             | movzx               eax, byte ptr [ebp - 0x20]
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx

        $sequence_3 = { ff7584 8d4dd8 50 e8???????? 8d4d90 e8???????? 8365c000 }
            // n = 7, score = 100
            //   ff7584               | push                dword ptr [ebp - 0x7c]
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4d90               | lea                 ecx, [ebp - 0x70]
            //   e8????????           |                     
            //   8365c000             | and                 dword ptr [ebp - 0x40], 0

        $sequence_4 = { 59 5f 8be5 5d c3 53 8bdc }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   8bdc                 | mov                 ebx, esp

        $sequence_5 = { 8d8dd0faffff e8???????? 8885d6faffff 6a67 8d8dd0faffff e8???????? 8885d7faffff }
            // n = 7, score = 100
            //   8d8dd0faffff         | lea                 ecx, [ebp - 0x530]
            //   e8????????           |                     
            //   8885d6faffff         | mov                 byte ptr [ebp - 0x52a], al
            //   6a67                 | push                0x67
            //   8d8dd0faffff         | lea                 ecx, [ebp - 0x530]
            //   e8????????           |                     
            //   8885d7faffff         | mov                 byte ptr [ebp - 0x529], al

        $sequence_6 = { c7472c00000000 c747300f000000 c6471c00 c645fc07 c7473400000000 c7474400000000 c747480f000000 }
            // n = 7, score = 100
            //   c7472c00000000       | mov                 dword ptr [edi + 0x2c], 0
            //   c747300f000000       | mov                 dword ptr [edi + 0x30], 0xf
            //   c6471c00             | mov                 byte ptr [edi + 0x1c], 0
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   c7473400000000       | mov                 dword ptr [edi + 0x34], 0
            //   c7474400000000       | mov                 dword ptr [edi + 0x44], 0
            //   c747480f000000       | mov                 dword ptr [edi + 0x48], 0xf

        $sequence_7 = { 33c5 50 8d45f4 64a300000000 8b5508 8b750c 8911 }
            // n = 7, score = 100
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8911                 | mov                 dword ptr [ecx], edx

        $sequence_8 = { 83f81f 0f8794000000 52 51 e8???????? 83c408 8b55d4 }
            // n = 7, score = 100
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8794000000         | ja                  0x9a
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]

        $sequence_9 = { 50 c745d0cc194a00 c745d402000000 e8???????? 8d45e8 50 8d45d8 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   c745d0cc194a00       | mov                 dword ptr [ebp - 0x30], 0x4a19cc
            //   c745d402000000       | mov                 dword ptr [ebp - 0x2c], 2
            //   e8????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45d8               | lea                 eax, [ebp - 0x28]

    condition:
        7 of them and filesize < 1701888
}
Download all Yara Rules