On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs).

The AvosLocker group gained prominence in July 2021 and was known for employing a double extortion strategy where they first stole data before encrypting it. The group would then threaten to release the data on a dedicated leak site unless a ransom was paid. Initially, AvosLocker primarily targeted Windows systems, but they subsequently expanded their reach by creating a Linux version of their ransomware designed to target VMware ESXi.

Key Takeaways

AvosLocker was a Ransomware-as-a-Service double extortion group.
No new activity has been observed since May 2023.
AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid.
AvosLocker heavily targeted the education sector – accounting for 25% of their attacks.
The United States bore the brunt of most AvosLocker attacks accounting for a whopping 72.2%, with Canada trailing far behind at 9.3%.

Attack Methodologies

Since different affiliates employed distinct intrusion techniques, each threat actor’s deploying AvosLocker approach to gain unauthorized access varied significantly. Affiliates were observed exploiting ProxyShell vulnerabilities, like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, present in the Microsoft Exchange server to obtain initial access. AvosLocker affiliates also infiltrated victims' networks via compromised RDP and VPN accounts, and exploited the Zoho ManageEngine ServiceDesk Plus vulnerability.

After infiltrating a victim’s network, the ransomware was executed in Windows Safe Mode to maximize the number of files that could be encrypted, since applications such as databases and security software (e.g., antivirus programs) would likely not be running. This technique ensured that these applications would not interfere with file encryption. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including Conti, REvil, and BlackMatter.

Infections by Industry

Figure 1, shown below, depicts the industries most affected by AvosLocker as a percentage of total attacks over the past year.

AvosLocker focused its attacks on the education sector and received approximately 25% of the group’s total attacks.
Furthermore, AvosLocker impacted the manufacturing and healthcare industry, which accounted for approximately 15.38% and 9.62%, respectively.

Industry verticals targeted by double extortion attacks using AvosLocke

_{Figure 1: Industry verticals targeted by double extortion attacks using AvosLocker}

Countries Targeted by AvosLocker

The U.S. emerged as the hardest-hit country in attacks orchestrated by the AvosLocker group, with more than 72% of attacks as shown in Figure 2. This highlights the scale and severity of the cyberthreat faced by U.S. businesses and institutions. Canadian organizations received 9.3% of AvosLocker’s attacks. China and Taiwan shared a similar level of impact, each experiencing 3.7% of AvosLocker attacks.

Breakdown of victims by country breached by AvosLocker

_{Figure 2: Breakdown of victims by country breached by AvosLocker}

Ransomware Analysis

Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.

Command line arguments

AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.

AvosLocker command line arguments

_{Figure 3: AvosLocker command line arguments}

The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.

Build: SonicBoom
b_bruteforce_smb_enable: 0
b_logical_disable: 0
b_network_disable: 1
b_mutex_disable: 0
concurrent_threads_num_max: 200

AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the --nomutex command line argument is provided.

Pre-encryption measures

Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.

Table 1: AvosLocker process termination list
encsvc	thebat	mydesktopqos	xfssvccon	firefox	infopath
winword	steam	synctime	notepad	ocomm	onenote
mspub	thunderbird	agntsvc	mydesktopservice	excel	powerpnt
outlook	wordpad	dbeng50	isqlplussvc	sqbcoreservice	oracle
ocautoupds	dbsnmp	msaccess	tbirdconfig	ocssd	sql & visio

Then, AvosLocker performs the following actions:

Deletes Windows shadow copies to prevent the recovery of files using the following commands:

wmic shadowcopy delete /nointeractive
vssadmin.exe  Delete Shadows /All /Quiet

Disables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:

bcdedit  /set {default} recoveryenabled No
bcdedit  /set {default} bootstatuspolicy ignoreallfailures

Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:

Powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

Encryption process

AvosLocker leverages multiple threads to encrypt the target files on an infected machine. Then it enumerates all drives (e.g., fixed, removable, and network shares) based on the command line arguments. The ransomware then performs a file extension check where the files with the extensions in Table 2 are excluded and not encrypted.

Table 2: AvosLocker extension exclusion list
avos	avoslinux	avos2	avos2j	themepack	nls	diagpkg	msi	lnk
exe	cab	scr	bat	drv	rtp	msp	prf	msc
ico	key	ocx	diagcab	diagcfg	pdb	wpx	theme	mpa
hlp	icns	rom	dll	msstyles	mod	ps1	nomedia	spl
ics	hta	bin	cmd	ani	386	lock	cpl	adv
cur	idx	sys	com	deskthemepack	shs	ldf	icl	msu

In addition, AvosLocker won’t encrypt any files listed in Table 3.

Table 3: Files excluded by AvosLocker
Thumbs.db	ntuser.ini	ntuser.dat.log	ntuser.dat	ntldr	iconcache.db
desktop.ini	config.msi	bootsect.bak	bootfont.bin	boot.ini	autorun.inf

Furthermore, AvosLocker won’t encrypt the directories in Table 4.

Table 4: Folders excluded by AvosLocker
All Users	AppData	boot	bootmgr
Games	Intel	Microsoft.	Program Files/Program Files (x86)
ProgramData	Public	Sophos	System Volume Information
Windows	Windows.old	WinNT	MicrosoftSQL Server

AvosLocker encrypts file content using AES in CBC mode with a randomly generated AES key. The AES symmetric key is then encrypted with a 2,048-bit RSA public key embedded in the ransomware binary. Finally, the RSA data containing the encrypted AES key is Base64 encoded and appended to the end of the encrypted file (see Figure 4). Then, the file extension is changed to .avos2.

AvosLocker encrypted file contents

_{Figure 4: AvosLocker encrypted file contents}

During the encryption phase, the ransomware also prints debug messages to the console that show encryption statistics to the threat actor as shown below.

drive D: took 0.003000 seconds
drive Z: took 0.119000 seconds
drive A: took 1.060000 seconds
drive C: took 19.672000 seconds
Waiting for encryption threads to finish ... [OK]
Encryption Stats
[+] Locked objects: 6313
asym time: clocks 14465
total time: clocks 20648 | 20.648000 seconds

After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt as shown in Figure 5.

AvosLocker ransom note

_{Figure 5: AvosLocker ransom note}

AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.

AvosLocker ransom note wallpaper

_{Figure 6: AvosLocker ransom note wallpaper}

The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.

Data Leak Site

If a victim decided not to pay a ransom, the group would post stolen data to their data leak site hosted via a Tor hidden service. This tactic was designed to pressure victims to pay a ransom to avoid a loss of sensitive information that may be damaging to the victim organization when publicly disclosed. The AvosLocker data leak site has been down since July 2023 and the payment site went down in August 2023. ThreatLabz observed a total of 60 victims’ data posted on the data leak site as shown in Figure 7.

AvosLocker data leak site

_{Figure 7: AvosLocker data leak site}

Anti-Analysis

All the important strings in AvosLocker ransomware samples are obfuscated using ADVObfuscator,which pushes encoded versions of strings to the stack, and then decodes them at runtime (as shown in Figure 8), using simple but different algorithms and keys.

AvosLocker string obfuscation

_{Figure 8: AvosLocker string obfuscation}

For instance, the string above decodes to: cmd /c wmic shadowcopy delete /nointeractive

NetMonitor Backdoor

AvosLocker leverages NetMonitor, a tool that appears like a legitimate network monitoring utility, but in reality acts as a backdoor for AvosLocker.

NetMonitor establishes persistence after being installed as a system service, using names such as: NetAppTcp, NetAppTcpSvc, WazuhWinSrv, RSM, WinSSP, WebService, etc. Once initiated, NetMonitor tries to contact its C2 server every 5 seconds using a hardcoded IP address and port (usually 443). The malware uses raw sockets and a small binary protocol for all communication, where the encrypted ping packet contains content similar to that shown in Figure 9.

NetMonitor encrypted communication

_{Figure 9: NetMonitor encrypted communication}

The first four bytes are random, and the remaining bytes are an RC4 encrypted payload with an 8 byte key. Figure 10 shows the actual payload content after the decryption.

NetMonitor decrypted communication

_{Figure 10: NetMonitor decrypted communication}

The first four bytes are also random (and identical to the previous four bytes prepended to the encrypted payload) followed by a command. Depending on the command received, NetMonitor then starts listening on a port or acts as a reverse proxy server.

NetMonitor was closely tied to AvosLocker, with the last observed activity occurring in the first half of 2023, and no new samples have been identified since August 2023.

Conclusion

AvosLocker is a ransomware group that was active and performing double extortion attacks until May 2023. The group also targeted multiple operating systems with different ransomware variants. Zscaler ThreatLabz continues to track different ransomware groups and add indicators of compromise to protect our customers. Please read Zscaler’s yearly ransomware report to learn more about the various trends and most significant ransomware groups.

Zscaler Coverage

Cloud Sandbox

Cloud Sandbox Coverage

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to AvosLocker at various levels with the threat names listed below.

Win32.Ransom.Avos

Indicators of Compromise (IOCs)

AvosLocker

Hashes

```
1076a979c6a7633ee3a4884d738452c5
```
```
1330887fe501036aff6ed443340e9405
```
```
d285f1366d0d4fdae0b558db690497ea
```
```
76e177a94834b3f7c63257bc8011f60f
```
```
b27f0f2826bacd329fb28d9cda002d7d
```
```
16a5d134d50eeb34989b48dca166462d
```
```
f9de6998546e9ea169c54527962e1e92
```
```
1933f61951738b6fdbfff3fa0f65d712
```
```
63e12fa6203dc61fc82343e7dec1b33b
```
```
4e75f8dc15a82674c57c4f12dbd78808
```
```
8c4bfd216fb8e69f7f1e1f4cb1e3f9a1
```
```
0e9432cd9e9405b04f4e46b368585d60
```
```
19944159dfa94a1b75effd85e6b906dc
```
```
869fc579f45a790b7c485d52cb2c8986
```
```
0b3888d8683d3ebb27627452a0179575
```
```
194c16941dc618facef7d0c4749a39a7
```
```
c41c5de8abeb92adaf8a86cf8b31570e
```
```
f091b9085d35e61945c743e3683b1b71
```
```
2d7cf26f4e4dacf637f7ef0b1edfbda5
```
```
a0a60441609f42f2f79c7826db9ae296
```

URLs

Payment Sites:

avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

```
avos2fuj6olp6x36.onion
```

Data Leak Sites:

avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

```
avos53nnmi4u6amh.onion
```

NetMonitor

Hashes

```
A5485e8f09f6428b42b499bc914532e6
```
```
e5dac186720ea10f3752aa30a96d3fc0
```
```
9ff900a05d75b97948a3b52d8835b21f
```
```
15e948c18ea77efb5ffbf0a72d05d348
```
```
85e44d1333422e9b550c94ad7b7202a0
```
```
d59dca267722dfd923350d5b139b1036
```

C&Cs

```
194.213.18.138:443
```
```
146.70.147.17:443
```
```
142.44.132.90:443
```
```
45.66.249.80:443
```
```
23.227.198.197:443
```
```
23.236.181.117:443
```

Thank you for reading

Was this post useful?

Yes, very!

Not really

Explore more Zscaler blogs

2022 Cloud (In)Security Report

Read post

ThreatLabz State of Encrypted Attacks 2022 Report exposes hidden threats

Spoiler: New ThreatLabz Report Reveals Over 85% of Attacks Are Encrypted

Read post

Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis

Read post