AvosLocker Ransomware Gang Recruiting Affiliates, Partners
Cybercrime as-a-service
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development
Malwarebytes: Gang Seeking ‘Pentesters’ and ‘Access Brokers’
A recently discovered ransomware-as-a-service gang dubbed AvosLocker is recruiting affiliates and partners, including “pentesters” and “access brokers,” on darknet forums, according to the security firm Malwarebytes.
The gang behind the AvosLocker ransomware variant was identified by independent security researcher Rakesh Krishnan in June. The gang apparently has targeted smaller law firms and freight, logistics and real estate companies in the U.S., the U.K. and parts of Europe over the last several months, Krishnan and other researchers note.
See Also: Live Webinar: Seeking Success by Adopting a SASE Architecture: en el idioma Español
Earlier this month, the AvosLocker gang apparently launched a ransomware attack against Geneva, Ohio – a city of 6,200 – according to WKYC, an NBC affiliate in Cleveland.
“There isn’t much to know about AvosLocker at this point. They are very new, so they haven’t had a lot of success. Their biggest success so far has been Geneva, Ohio,” says Allan Liska, an intelligence analyst with Recorded Future’s computer security incident response team. “They are still trying to recruit affiliates, but I am not sure there has been much uptake there. They are definitely worth continuing to monitor.”
A recent report from incident response firm Coveware found that the average ransom paid by ransomware victims dropped by 38% in the second quarter of this year, compared to the first quarter (see: Ransomware: Average Ransom Payment Drops to $137,000).
Darknet Advertisements
The Malwarebytes researchers first encountered AvosLocker this month following an attack on a Microsoft Exchange email server of an unnamed victim. The gang appears to have used a vulnerable domain controller to gain a foothold in the server to deploy the ransomware, according to the report.
Following the incident, the researcher began tracking AvosLocker on various cybercriminal forums and discovered advertisements by the group seeking others to join its operation or serve as affiliates, the report notes.
“They announced a recruitment for ‘pentesters with Active Directory network experience’ and ‘access brokers’, which suggests that they want to cooperate with people who have remote access to hacked infrastructure,” according to Malwarebytes.
The researchers also found the gang advertising its crypto-locking malware as a multithread ransomware variant written in the C++ programming language. For affiliates, the group offers data hosting and helps to negotiate the ransom, the report notes.
“They offer not only the malware, but also help in managing the communication with the victim, and hosting of the data stolen during the operation,” according to Malwarebytes.
Technical Details
Malwarebytes says AvosLocker ransomware is run manually by the attackers, who try to remotely access a device or network.
“For this reason, it is not trying to be stealthy during its run. In default mode, it works as a console application reporting details about its progress on screen,” the security firm says.
If the initial attack is successful, the ransomware first maps the accessible drives by listing all the files. Certain files are then selected for encryption depending on their extensions, according to the research report.
The Malwarebytes report says the operators behind the ransomware identify encrypted files with a .avos extension, which is appended to the original filename.
“While the content is unreadable, at the end, we find a Base64-encoded block added. We can assume that this Base64-encoded data contains RSA-protected AES key that was used for encrypting this file. Each attacked directory has a ransom note dropped in it, named GET_YOUR_FILES_BACK.txt,” the researchers note.
The ransomware operators also tell victims that the ransom amount will increase if a deadline is not met, and the attackers will attempt to blackmail the victim by threatening to dox them. To prove authenticity, victims are shown a website dubbed “press releases” that appears to contain the blackmail details.