The IT Nerd

As ransomware continues to be a security concern, a new variant named AvosLocker was discovered as an emerging threat. A recent report from Trend Micro titled “Ransomware Spotlight: AvosLocker” details this:

AvosLocker is one of the newer ransomware families that came to fill the void left by REvil. While not as prominent or active as LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. According to the report, AvosLocker has been targeting critical infrastructure in different sectors of the US, with attacks also observed in other countries like Canada, UK, and Spain. Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.

Of interest, the report found that Canada was among the top two countries for AvosLocker detections between July 2021 to February 2022.Moreover, the top three industries affected in Canada were energy, healthcare and the financial sectors.

While AvosLocker is a comparatively newer ransomware family with a low detection rate compared to LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. 

Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.

• It uses the remote administration tool AnyDesk. One of the notable characteristics of AvosLocker campaigns is its use of AnyDesk, a remote administration tool (RAT) to connect to victim machines. Using this tool, the operator can manually operate and infect the machine.
• It runs on safe mode. Another key element of AvosLocker is running itself on safe mode as part of its evasion tactics. The attacker restarts the machine, disables certain drivers, and runs on safe mode, thus avoiding certain security measures that are unable to run in this mode. Operators also set up certain drivers to make sure that AnyDesk would run even in safe mode. It is important to note that this was a tactic previously employed by the now defunct REvil.
• Operators auction stolen data. AvosLocker again takes a leaf from REvil’s page by auctioning stolen data on its site, on top of its double extortion scheme. This could be the group’s way of further monetizing a single successful attack or salvaging a failed one.

Operating as a RaaS, the actors behind AvosLocker coordinate their attacks and choose their targets based on their ability to pay the demanded ransom, pursuing critical infrastructure in different industries.

I would read this Trend Micro report and see if your defences against this ransomware measure up.

This entry was posted on April 5, 2022 at 12:00 pm and is filed under Commentary with tags Trend Micro. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.