Background
Qualys recently published a blog post on AvosLocker ransomware, which targets both Windows and Linux operating systems.
What is AvosLocker?
AvosLocker is a ransomware as a service (RaaS). It employs RSA encryption to encrypt files then uses the ChaCha20 algorithm to encrypt encryption-related information. AvosLocker originally only targeted Windows systems, but new variants target Linux VMware ESXi virtual machines as well. AvosLocker is typically delivered via spam emails. The threat actors behind AvosLocker are also leveraging CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.
The group behind AvosLocker has been active since 2021. Following a successful attack, the threat actors release the name of their victim on the Dark Leak TOR website. The threat actors also advertise the latest AvosLocker variant on the Dark Leak site. They claim the latest Windows variant of AvosLocker is one of the fastest on the market and has highly scalable threading and selective ciphers.
The AvosLocker affiliate program includes the following “benefits”:
- Support for Windows, Linux, and ESXi
- Affiliate panels and negotiation panels
- Consultations on operations and assistance with ransom negotiations
- Both automatic and highly configurable builds
- Automatic decryption tests
- Network resource encryption
- Removal of shadow copies
- Data storage
- DDoS capabilities
- Calling services
- A network of pentesters, access brokers, and other individuals in the “business”
The AvosLocker ransom note tells users to not shut down their system in case encryption is still in progress, which can result in corrupted and unrecoverable files. The victim is instructed to visit a TOR site to pay the ransom and obtain the decryption key. If the victim does not pay the ransom, the threat actors list their data for sale.
IOCs
PolySwarm has samples of the recently reported AvosLocker variants.
C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02 (Windows)
7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1 (Linux)
You can use the following CLI command to search for all AvosLocker samples in our portal:
$ polyswarm link list -f AvosLocker
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports