Published on October 26, 2021

AvosLocker Ransomware (RaaS): A New Ransomware Group Emerges

AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo. Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems. As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.

AvosLocker Tor Site
Analyzing AvosLocker
AvosLocker ransom note

Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.

AvosLocker payment page

Once access is granted, AvosLocker provides a clean user interface that displays four main components: 

  1. Countdown Timer –  Displays time left before the ransom is doubled.
  2. Test Decryption –  A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
  3. Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
  4. Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).
AvosLocker is paid via MONERO cryptocurrency

Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.

AvosLocker Press Release Onion Service on the Tor network (captured October 20, 2021)

Within seconds of an infection, ReaQta-Hive is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.

New call-to-action

Running the attack

ReaQta-Hive’s Behavioural Tree showing the AvosLocker ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.

AvosLocker is automatically stopped by ReaQta-Hive within seconds

ReaQta-Hive was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.

New call-to-action

Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.