S1053 AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.231
| Item | Value |
|---|---|
| ID | S1053 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 January 2023 |
| Last Modified | 15 February 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode.3 |
| enterprise | T1486 | Data Encrypted for Impact | AvosLocker has encrypted files and network resources using AES-256 and added an .avos, .avos2, or .AvosLinux extension to filenames.2351 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | AvosLocker has deobfuscated XOR-encoded strings.2 |
| enterprise | T1083 | File and Directory Discovery | AvosLocker has searched for files and directories on a compromised network.23 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | AvosLocker has hidden its console window by using the ShowWindow API function.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.009 | Safe Mode Boot | AvosLocker can restart a compromised machine in safe mode.34 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.008 | Masquerade File Type | AvosLocker has been disguised as a .jpg file.3 |
| enterprise | T1106 | Native API | AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.2 |
| enterprise | T1135 | Network Share Discovery | AvosLocker has enumerated shared drives on a compromised network.21 |
| enterprise | T1027 | Obfuscated Files or Information | AvosLocker has used XOR-encoded strings.2 |
| enterprise | T1027.007 | Dynamic API Resolution | AvosLocker has used obfuscated API calls that are retrieved by their checksums.2 |
| enterprise | T1057 | Process Discovery | AvosLocker has discovered system processes by calling RmGetList.2 |
| enterprise | T1489 | Service Stop | AvosLocker has terminated specific processes before encryption.2 |
| enterprise | T1529 | System Shutdown/Reboot | AvosLocker’s Linux variant has terminated ESXi virtual machines.3 |
| enterprise | T1124 | System Time Discovery | AvosLocker has checked the system time before and after encryption.2 |
References
-
FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023. ↩↩↩
-
Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. ↩↩↩↩↩↩↩
-
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. ↩
-
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. ↩