Credential Theft
- LaZagne
- Mimikatz
- XenArmor
AvosLocker is a ransomware family and Ransomware-as-a-Service (RaaS) operation associated with double-extortion activity.
Profile source: Mallory opens in a new tabAvosLocker
AvosLocker is a ransomware family and Ransomware-as-a-Service (RaaS) operation associated with double-extortion activity. The provided content states it emerged in June 2021 and has targeted entities in the United States, Canada, the United Kingdom, and Spain, with a focus on critical infrastructure. Reported initial access vectors include spear-phishing, exploitation of public-facing applications, and compromised RDP credentials. The malware is described as establishing persistence with custom webshells, escalating privileges via credential dumping, and exfiltrating data before encryption. AvosLocker encrypts files and network resources using AES-256 and appends .avos, .avos2, or .AvosLinux extensions; the content also notes systems may be rebooted into Safe Mode with Networking before encryption and that its Linux variant has terminated ESXi virtual machines. Additional observed behaviors include enumerating shared drives on compromised networks, checking system time before and after encryption, hiding its console window via the ShowWindow API, and using obfuscated API calls resolved by checksums. The content further notes defense-evasion and masquerading behaviors, including being disguised as a .jpg file and, in one incident, being disguised using the victim company name as the filename. It is also referenced as a RaaS program advertised on the RAMP cybercrime forum.
Ransomware.live
MITRE ATT&CK
Reporting
We identified 14 distinct RaaS programs: AvosLocker (Nov 2021) ... The AvosLocker listing is particularly significant: a known ransomware operation directly posting buying requests on the same forum where it advertised its RaaS program.
Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty...
...infiltrated or taken over other ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, Hello Kitty, Hive, AvosLocker, Quantum, BlackByte, Karakurt...
The leaks ultimately expedited Conti's shutdown, with the cybercrime members moving to other operations or starting new gangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON.
CISA highlighted the persistent threat of AvosLocker ransomware, a Ransomware-as-a-Service operation known for its double extortion tactics. Since its emergence in June 2021...
Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.
Most Commonly Observed Ransomware Variants in Q3 2022 ... 5 AvosLocker 3%
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space ... which may lead to bypassing anti-tampering features. [avoslocker_ransomware]
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.