Executive Summary
Ransomware attacks have been a global issue within the cyber security industry and many organizations are left wondering if they’ll be the next victim. According to a report from Kroll, the first quarter of 2022 saw an uptick in ransomware attacks leveraging vulnerabilities. Log4j saw the most activity in the final quarter of 2021 with threat actors exploiting the vulnerability via cryptominers. This year, ransomware gangs are using Log4j to set the stage for network encryption, taking advantage of the vulnerability that knocked the cyber world off its axis in 2021.
With ransomware gangs relentlessly attacking critical infrastructure sectors, organizations are rightfully fearful of looming threats. Ransomware attacks commanded attention in 2021, but also started off strong at the beginning of 2022. Threat actors are rethinking how they attack organizations and have gone beyond with their tactics and techniques – taking their attacks to the next level. According to Palo Alto’s Unit 42, 2021’s ransom demand climbed 133% ($2.2 million) and the average payment rose 78% ($541,010).
Ransomware will continue to be a challenge in 2022 as cyber criminals find new ways to exploit vulnerabilities and remove technical barriers. This year, we have seen several ransomware gangs compromise systems and networks, but one gang in particular has caught the attention of the FBI as well as cyber security researchers. AvosLocker ransomware has targeted organizations in multiple critical infrastructure sectors within the U.S. including the Financial Services, Critical Manufacturing, and Government sectors.
In addition to the U.S., the ransomware gang has targeted Arabia, Germany, Belgium, Spain, Turkey, the United Arab Emirates, the United Kingdom, Canada, Taiwan, and Saudi Arabia. Let’s take a look at AvosLocker ransomware, their tactics and techniques, and how threat actors are using excellent customer service to keep the ransom payments coming.
In March 2022, the FBI and the U.S. Treasury Financial Crimes Enforcement Network released a joint advisory addressing AvosLocker and their activity targeting organizations across several critical infrastructure sectors. The RaaS gang deploys ransomware onto their victim’s networks and systems, then threatens to leak their files on the dark web if they don’t pay up. AvosLocker is both the name of the RaaS gang, as well as the name of the ransomware itself.
In May 2022, AvosLocker took responsibility for attacking and stealing data from the Texas-based healthcare organization, CHRISTUS Health. CHRISTUS Health runs hundreds of healthcare facilities across Mexico, the U.S., and South America. The group stole information from a cancer patient registry which included names, social security numbers, diagnoses, dates of birth, and other medical information. The nonprofit Catholic health system has more than 600 healthcare facilities in Texas, Louisiana, New Mexico, and Arkansas. There are also facilities in Columbia, Mexico, and Chile.
Fortunately, the ransomware attack was quickly identified and was limited. While other healthcare organizations have not been as fortunate with ransomware attacks, the AvosLocker attack didn’t impact CHRISTUS Health’s patient care or clinical operations. CHRISTUS Health didn’t reveal whether or not the security incident included ransomware, data exfiltration or extortion, but due to AvosLocker’s reputation, it is more than likely that the incident included at least one of the three.
CHRISTUS Health is not the only healthcare entity impacted by AvosLocker. In April 2022, AvosLocker allegedly attacked McKenzie Health System and leaked data on their leak site. McKenzie Health System reported a hacking incident to the U.S. Department of Health and Human Services and disclosed a security incident regarding a network server. The incident affected over 25,300 people and disrupted some of the health care organization’s IT systems. After an investigation, McKenzie Health disclosed in a statement that a “third party” breached its systems and removed some files. They didn’t name AvosLocker or any other threat actor as the culprit, but researchers found McKenzie Health’s data on AvosLocker’s data leak site in April 2022.
AvosLocker was discovered advertising on dark web forums in July 2021 and has been observed targeting Windows machines. The group works with affiliates and splits the profits they receive with a select group of developers. AvosLocker also uses Any Desk ( a remote administration tool) to connect to victims’ machines and manually operate and infect their machines.
According to Trend Micro’s observations, AvosLocker uses Zoho ManageEngine ADSelfService Plus as an entry point into their victim’s systems and networks. They also use spam email campaigns as an initial infection vector to deliver their ransomware payload. Although Trend Micro couldn’t pinpoint a particular CVE ID, they saw some indications that AvosLocker abuses CVE-2021-40539. The group also evades detection by disabling anti-virus solutions.
According to Qualys, process files are appended with the “.avos” extension during the encryption process, while an updated variant appends with the “.avos2” extension. The Linux version also appends with the extension “.avoslinux”. Once their attack is successful, the threat actor publishes the names of their victims on their data leak site which is hosted on the TOR network. This site provides exfiltrated data for sale, which can be found at hxxp://avosxxx…xxx[.] onion. The gang’s latest ransomware variants are located on another leak site. There, you will find AvosLocker’s claims to the “latest Windows variant” – the fastest in the market with scalable threading and selective cyphers.
Now, AvosLocker has added support for encrypting Linux systems. They especially target VMware ESXi virtual machines, which gives them access to a much wider range of organizations. AvosLocker also has the ability to kill ESXi VMs. Additionally, AvosLocker exploits several ProxyShell vulnerabilities including CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.
AvosLocker’s ransom note is named “GET_YOUR_FILES_BACK.txt” and is located in each encrypted directory before the file is encrypted. The note gives instructions for the victim which include not shutting down the system (in case encryption is in progress) to avoid corrupting files. The note also asks their victims to visit an onion address with the TOR browser. The site instructs the victim to pay the ransom in order to retrieve the decryption key to decrypt the application or files.
Image 1: AvosLocker Infection Chain
Source: Qualys
The victim submits their payment via a “payment page”. If the payment is not made, then their data goes up for sale. Also, an affiliate program is offered by AvosLocker. The program provides RaaS, as well as services to clients. Those services include:
Linux has seen its fair share of vulnerabilities, but AvosLocker’s malware arrives in Linux as an elf file. The file that was analyzed by the research group Qualys, is a x64 based Linux executable file. There is also a command-line application which has some command-line options.
Image 2: Linux File
Source: Qualys
According to Qualys, after execution, AvosLocker collects information regarding the number of threads that need to be created. It then checks for string “vmfs” in the file path provided as a command line argument. Next, it checks for the string ESXi in the file path and once the parameter is found, it calls a routine to kill the running ESXi virtual machine. Finally, AvosLocker drops the ransom note file at the targeted directory and creates a list of files to be encrypted. Please note that only regular files are added to the encryption list. If the file has the extension “avoslinux” then that it’s skipped and isn’t added to the encryption list.
Image 3: vmfs
Source: Qualys
Before AvosLocker starts file encryption, a ransom note named “README_FOR_RESTORE” is created.
Image 4: Ransom Note
Source: Qualys
Ransomware continues to remain a threat to organizations everywhere. Ransomware is malware that is often used by cyber criminals who seek financial gain. Just like any other malware, ransomware is delivered to victim’s networks and systems by exploiting known vulnerabilities. Threat actors will take advantage of systems that have not been patched or that have already been compromised and they will use phishing email scams and social engineering tactics to deploy their ransomware.
Once the threat actor is in a system and has the opportunity to deploy their ransomware, the malware overtakes the victim’s files and systems – encrypting key information. The information is often rendered unusable to the organization and the threat actor will then demand a ransom payment in exchange for decryption. If the ransom is not paid, then data is either held hostage or leaked for all to see.
Ransomware attacks pressure victims to pay up and in full or else.
According to Palo Alto’s research on ransomware attacks for 2022, the most targeted regions for ransomware attacks include the Americas, Europe, the Middle East, Africa, and Asia Pacific – with construction and professional and legal services being the most targeted sectors. Because the long-term effects of a ransomware attack can be devastating and go beyond the actual cost of the ransom, it’s important for organizations to remain vigilant with protecting their cyber environments.
At the tail end of 2021, ransomware gangs exploited Log4Shell (CVE-2021-44228) quickly. Log4Shell is a zero-day critical vulnerability was found in the Apache Log4j2 Java-based logging library. It is an unauthenticated remote code execution (RCE) flaw that allows for complete system takeover with Log4j2.0-beta9 up to 2.16.1. This means that the flaw could allow attackers to install cryptominers and steal data, as well as credentials.
Because organizations failed to patch the vulnerability when it was disclosed, threat actors had a field day. After the news broke about how easy it was to exploit Log4j2, threat actors made swift moves. Log4Shell resulted in massive world-wide scanning with the payloads running from miners, Unix DDoS malware, and framework stagers pushed to compromised hosts.
This kind of mass scanning was expected because as with any exploit, attackers with motives will exploit anything they can in order to receive what they want (money, credentials, sensitive data, etc.). However, since December 2021, the issues surrounding Log4Shell still persist and there is no sign of them disappearing. Now, in 2022, Log4j is still being exploited, this time, by AvosLocker. The ransomware gang has been observed scanning multiple endpoints for the Log4j vulnerability using NmapNSE script.
Ransomware trends are on the rise and there are three in particular that everyone needs to keep an eye on:
Ransomware and big business may have more in common than one might think. Ransomware operations are starting to behave more like businesses than criminals. In 2022, ransomware gangs are renting out office space, hiring graphic designers to beautify their web presence, and they are even providing prompt customer service to their victims and/or clients. From the outside looking in, these ransomware gangs look a lot like tech companies and operate as if they are Fortune 500 companies. They have investments in development, and they market their products and services just like any other company would.
Ransomware gangs like Conti can sometimes appear to be more disciplined than a lot of legitimate tech companies. They have an agile development framework that is often seen in Silicon Valley – go offline to develop, come back online to test, then retreat to work out the kinks and flaws. Some might say that ransomware is experiencing its own tech bubble with groups setting themselves apart from competitors by pulling bigger hauls, being hyper organized, and sometimes corporatizing their operations.
Ransomware dates back to the 1980s and became even more common in the 2000s. SamSam ransomware was one of the first to offer first class customer service for their victims and now, other threat actors are following suit. Conti has developed a reputation for prompt response times – replying in minutes or hours instead of leaving their victims waiting. This creates a sense of trust with their victims and has ushered in a new era of brand conscious ransomware gangs.
While a ransomware gang with phenomenal customer service may convince you to pay their demanded ransom and cooperate, the FBI discourages you from doing just that. Paying the ransom only encourages other threat actors to target additional organizations and gives the green light for other cyber criminals to continue to distribute ransomware. Paying the ransom also helps fund the adversary’s illicit activities.
While it’s understood that your business operations may be disrupted or even be completely non-functioning, it’s always best to report ransomware incidents to the FBI immediately. The FBI has investigators and analysts, and they need critical information to help track the ransomware attackers, hold them accountable, and prevent future attacks. Field office contacts can be located at http://www.fbi.gov/contact-us/field-offices
Even with anti-malware solutions installed, AvosLocker is a great risk to organizations. AvosLocker can disable anti-virus software and deploy their ransomware before you even realize they’re in your system. However, Avertium has advanced services that can help keep your organization safe:
Avertium and the FBI recommend the following guidelines for general ransomware attacks:
Mitigating AvosLocker
Top 5 cyber threats of Q1 2022 | Security Magazine
Remain Vigilant: Log4Shell Still Being Exploited (avertium.com)
AvosLocker Claims Data Theft From Another Healthcare Entity (govinfosecurity.com)
Microsoft Word - AvosLocker_CSA_TLP_White (ic3.gov)
Ragnar Locker Ransomware: Everything You Need To Know (Attacks & Analysis) (avertium.com)
FBI Releases AvosLocker Ransomware Advisory (securityintelligence.com)
Why good customer service is key to ransomware scams. (slate.com)
Ransomware group strikes second U.S. health care system in the last two months (cyberscoop.com)
AvosLocker ransomware - what you need to know | The State of Security (tripwire.com)
2022-unit42-ransomware-threat-report-final.pdf (paloaltonetworks.com)
Ransomware payments spiked 70 percent last year - The Washington Post
AvosLocker Ransomware Behavior Examined on Windows & Linux | Qualys Security Blog
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.