Each attacked directory has a ransom note dropped in it, named GET_YOUR_FILES_BACK.txt: We can assume that this Base64-encoded data contains RSA-protected AES key that was used for encrypting this file.
While the content is unreadable, at the end we find a Base64-encoded block added: avos extension appended to the original filename. The files that have been encrypted by AvosLocker can be identified with. The files are selected for encryption depending on their extensions. Looking at the log, we can see that the ransomware first "maps" the accessible drives by listing all their files. Searching files on: C:\Documents and Settings* In default mode, it works as a console application reporting details about its progress on screen.Įncrypting C:\autoexec.bat - ext bat - capped YESįile: C:_pin\pinadx-vsextension-4-g0c048d619.batĮncrypting C:_pin\pinadx-vsextension-4-g0c048d619.bat - ext bat - capped YES For this reason, it is not trying to be stealthy during its run. Soon, some victims of this ransomware started to emerge.ĪvosLocker is ran manually by the attacker who remotely accessed the machine. They offer not only the malware, but also help in managing the communication with the victim, and hosting of the data stolen during the operation. In the other advert they describe the product they offer: a multi-threaded ransomware written in C++: They announced a recruitment for "pentesters with Active Directory network experience" and "access brokers" which suggests that they want to cooperate with people who have remote access to hacked infrastructure. Its authors started searching for affiliates through various underground forums. With the disappearance of the infamous REvil, it is possible new threat actors are actively looking to fill the void.Īvos is a relatively new ransomware, that was observed in late June and early July. This type of ransomware attack is unfortunately all too common these days and has wreaked havoc across many industries. In this blog we will take a look at AvosLocker a solid, yet not too fancy new ransomware family that has already claimed several victims. While examining the ransomware payload, we noticed it was a new variant which we had not heard of before. The threat actor used this entry point to get into a Domain Controller and then leveraged it as a springboard to deploy ransomware. In mid-July we responded to an incident that involved an attack on a Microsoft Exchange server. This blog post was authored by Hasherezade
0 kommentar(er)
