AvosLocker recently made headlines as a new ransomware-as-a-service (RaaS) that commenced operations in June, represented by a purple bug brand logo. Operating based on a similar modus operandi to most RaaS, AvosLocker has started promoting its RaaS program via various forums on the dark web in its search for affiliates. AvosLocker’s primary mode of malware delivery is through spam email campaigns and online advertisements. After a successful compromise, AvosLocker then offers technical assistance to victims, providing support to recover the compromised systems. As seen on their Tor Network Site, AvosLocker uses 256-bit custom AES encryption and appends encrypted files with the extension .avos. Victims are then led to a landing page to begin the negotiations with the AvosLocker team.

Analyzing AvosLocker

Upon execution, AvosLocker encrypts files on the victim’s machine and disables file recovery and system restore. A ransom note is left on the victim’s machine, which includes a link and a corresponding ID for access to the AvosLocker Tor site.

Once access is granted, AvosLocker provides a clean user interface that displays four main components: 

1. Countdown Timer –  Displays time left before the ransom is doubled.
2. Test Decryption –  A feature that allows victims to upload an encrypted sample file to check whether it can be successfully decrypted.
3. Support Bot – A chat feature that gives victims the ability to interact with the AvosLocker group and is used for negotiations and payment support-related matters.
4. Payment Information – A QR code is provided for payment address with the ransom currency denoted in cryptocurrency XMR (MONERO).

Subsequently, should the owner of the data choose to not pay the ransom, the AvosLocker group then puts the victim’s data up for sale via a press release.

Within seconds of an infection, ReaQta-Hive is able to effectively reconstruct the complete breach, by providing complete details of attacker tactics.

Running the attack

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behaviour is automatically blocked upon detection to ensure that sensitive data is protected.

ReaQta-Hive was able to autonomously stop AvosLocker in very early attack stages, effectively mitigating any business interruptions. ReaQta’s AI automations terminated all malicious processes and stopped the threat within seconds, then closed off the alert to reduce any additional actions required of security teams.

Ransomware attacks will only continue to surge globally. Organizations and its security leaders should already have security and mitigation plans in place to ensure that their sensitive data stays safe against any destructive malware.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.