Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research

RESEARCH

LEARNING

whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company

COMPANY

PARTNERS

webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

AvosLocker Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs   August 22, 2022   Ransomware

AvosLocker group started its ransomware attacks and Ransomware-as-a-Service operations in July 2021 and made a name for themselves over time. Different variants of AvosLocker are capable of impacting Windows, Linux, and ESXi machines. Avoslocker RaaS group uses the double extortion method and constantly adds new adversary techniques to their toolset. In recent attack campaigns, AvosLocker threat actors are observed to gain initial access to VMWare Horizon Unified Access Gateways that are vulnerable to the notorious Log4Shell vulnerability.
Metadata

Associated Groups

Aliases - Avos

Associated Country

-

First Seen

July 2021

Target Sectors

Education, Energy, Financial Services, Food and Beverage, Government, Healthcare, Manufacturing, Media, Telecommunications, Transportation, Technology

Target Countries

United States, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Columbia, Germany, India, Israel, Italy, Philippines, Saudi Arabia, Spain, Syria, Taiwan, Turkey, United Arab Emirates, United Kingdom
Modus Operandi

Business Models

Ransomware-as-a-service (RaaS)

Triple Extortion

Extortion Tactics

File Encryption

Data Leakage

Threaten to Sell Stolen Information

Initial Access Methods

Exploit Public-Facing Application

External Remote Services

Valid Accounts (Stolen Credentials

Impact Methods

Data Encryption

Data Exfiltration
Exploited Applications and Vulnerabilities by AvosLocker

Application

Vulnerability

CVE

CVSS

Microsoft Exchange

Remote Code Execution

CVE-2021-31206

8.0 High

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High

Microsoft Exchange

ProxyShell RCE

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

Remote Code Execution

CVE-2021-26855

9.8 Critical

Zoho ManageEngine ServiceDesk Plus

Authentication Bypass

CVE-2021-40539

9.8 Critical

Apache Log4j

Remote Code Execution

CVE-2021-44228

10 Critical

Apache Log4j

Remote Code Execution

CVE-2021-45046

9 Critical

Apache Log4j

Denial of Service

CVE-2021-45105

5.9 Medium

Apache Log4j

Remote Code Execution

CVE-2021-44832

6.6 Medium

Atlassian Confluence Server and Data Center

Remote Code Execution

CVE-2022-26134

9.8 Critical
Utilized Tools and Malware by AvosLocker

MITRE ATT&CK Tactic

Tools

Execution

Cobalt Strike

Sliver

Defence Evasion

Avast Anti-Rootkit Scanner

aswArPot.sys

Credential Access

Mimikatz 

XenArmor Password Recovery Pro Tool

Discovery

WinLister 

Advanced IP Scanner 

Nmap

Lateral Movement

PDQ Deploy

AnyDesk

Command and Control

AnyDesk 

Pscp.exe

Exflitration

Rclone

Impact

AvosLocker ransomware

  • [1]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [2]     “GitHub - BishopFox/sliver: Adversary Emulation Framework,” GitHub. [Online]. Available: https://github.com/BishopFox/sliver. [Accessed: Jul. 21, 2022]

  • [3] Free Rootkit Scanner & Remover,” Free Rootkit Scanner & Remover. [Online]. Available: https://www.avast.com/c-rootkit-scanner-tool. [Accessed: Jul. 07, 2022]

  • [4] “AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell,” Trend Micro, May 02, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html. [Accessed: Jul. 21, 2022]

  • [5]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [6] “XenArmor All-In-One Password Recovery Pro 2021 Software,” XenArmor |, Jan. 30, 2019. [Online]. Available: https://xenarmor.com/allinone-password-recovery-pro-software/. [Accessed: Jul. 07, 2022]

  • [7] “WinLister v1.22 - display the list of opened windows on your system.” [Online]. Available: https://www.nirsoft.net/utils/winlister.html. [Accessed: Jul. 07, 2022]

  • [8] “Advanced IP Scanner - Download Free Network Scanner.” [Online]. Available: https://www.advanced-ip-scanner.com. [Accessed: Jul. 07, 2022]

  • [9] “Nmap: the Network Mapper - Free Security Scanner.” [Online]. Available: https://nmap.org/. [Accessed: Jul. 07, 2022]

  • [10]     “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).

  • [11] “PSCP.” [Online]. Available: http://xray.rutgers.edu/~matilsky/documents/pscp.htm. [Accessed: Jul. 07, 2022]

  • [12]     N. Craig-Wood, “Rclone.” https://rclone.org/ (accessed Jul. 06, 2022).

  • [13] F. Fkie, “AvosLocker (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker. [Accessed: Jul. 07, 2022]

Related Content

August 22, 2022   •   Ransomware

Conti Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

BlackCat Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

Hive Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

Vice Society Ransomware Group

READ MORE
Emerging Threat

Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

Learn More
Emerging Threat

Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Learn More
fortimanager
Emerging Threat

CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained

Learn More
cisa-alert-aa24-290a
Emerging Threat

Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A

Learn More
Emerging Threat

CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure

Learn More
emerging-threat
Emerging Threat

CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows

Learn More
RansomHub-Ransomware
Emerging Threat

RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A

Learn More
pioneer-kitten-ransomware
Emerging Threat

Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations

Learn More
north-korean-APT-group
Emerging Threat

Andariel: North Korean APT Group Targets Military and Nuclear Programs

Learn More