AvosLocker is the name of a type of ransomware and is also the name of the team behind the ransomware and stands out from most other ransomware strains due to their stance as ransomware for hire. The group advertises their services on the darkweb as well as providing pre-packaged solutions for off the shelf purchase. Their services include consultancy services for clients to assist with use of their product, as well as services to customize the ransomware for specific use cases and attack vectors. They also provide for-hire hackers to assist with network reconnaissance and payload deployment. The group charges in bitcoin and are fast becoming a criminal enterprise.

Currently most of the talk about AvosLocker is related to recent targets in against infrastructure. Reports from multiple sources indicate that North America, Europe, Middle East, and Asia-Pacific targets have been attacked, with the most popular attack vector being Microsoft exchange server. Indicators that a machine and/or network has been compromised include the following.

1. Modified Windows Registry "Run" Registry keys.
2. Encoded PowerShell scripts
3. A false PuTTY Secure Copy client tool “pscp.exe”
4. Rclone
5. A false AnyDesk appearing (If its not normally used on the network)
6. A false Advanced IP Scanner
7. WinLister

The main difficulty with the above forms of attack is often people are unaware of the strange deployment as many updates often add applications of this type without notice. A trend we think should be discouraged in favour of user notice and acceptance. Common Exchange Server vulnerabilities used to breach a target network include the following ProxyShell vulnerabilities:

• CVE-2021-31207 - Flaw within Mailbox export service, allows for malicious file uploads to the server.
• CVE-2021-34523 - Flaw within Powershell that allows execution of Powershell commands without access validation
• CVE-2021-34473 - Utilizes the Autodiscover service to scrape user information
• CVE-2021-26855 - Allows an unauthorized user admin access to the server

An additional note regarding the attacks themselves is there have been noted cases of victims receiving phone calls from the AvosLocker attacker pressuring the victim org to go to the Avos .onion site to pay the ransom. also text files named GET_YOUR_FILES_BACK.txt are created in every directory of the affected machines leaving a note and the .onion payment site, below is an example of such a message. Note that to access .onion pages requires the use of Tor or similar.

AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Thoughts and Recommendations Our recommendations regarding mitigation of this attack is pretty much the standard for preventing ransomware attacks. Harden your organizations network and all devices on it. Enforce social engineering training requirements for all employees. Maintain and enforce a disaster recovery plan, including items such as off site, and offline data backups. also Having a general network security policy is also key, so a security baseline is kept. I would like to emphasize that it appears that since the team behind AvosLocker has made such a well thought out "customer experience", that they may mostly be the hacker for hire types, largely attacking who they are paid to, so if they were paid the correct sum to attack Microsoft, they would, there is no reason to believe that any org is safe so precaution is key.