AvosLocker Ransomware
Infosec researchers uncovered a new ransomware operation that they named AvosLocker. The hacker group appears to have become active around June 2021 and in just a couple of months has managed to rack up several victims. The cybercriminals release the names of their victims on a dedicated leak site hosted on the Tor network. The site contains two sections - 'Public Service Announcements' and 'Leaks.' All breached entities alongside proof of the data collected from them are displayed under the 'Public Service Announcement' page. The AvosLocker group is using spam email campaigns disseminating bait emails, as well as corrupted advertisements as initial infection vectors for the delivery of the ransomware threat.
AvosLocker Ransomware's Details
The deployed ransomware threat is written in C++ and utilizes a customized version of the AES-256 cryptographic algorithm to lock the files stored on the breached systems. The malware is designed to infect Windows machines and will not execute on other platforms. As part of its threatening capabilities, the AvosLocker Ransomware can delete the Shadow Volume Copies of the affected files, as well as terminate specific applications that may interfere with the encryption process. Upon encrypting a file, AvosLocker appends '.avos' to that file's original name as a new extension. Like most threats of this type, the AvosLocker Ransomware also delivers a ransom note with instructions for its victims. The message is dropped as a text file named 'GET_YOUR_FILES_BACK.txt.'
AvosLocker's Demands
As it turns out, the ransom note itself contains little useful information. It mostly just encourages the victims of the threat to visit a TOR website to get all the additional instructions. Following the provided link and entering the specific victim ID, leads to a 'payment' page. Here, victims are able to see a countdown timer that measures the remaining time before the sum demanded by the hackers gets doubled. The ransom needs to be transferred using the Monero cryptocurrency.
However, before paying, victims can upload a sample file to the site to test the hacker's ability to decrypt the locked data. The Web page also includes a support chat through which affected users can supposedly contact the AvosLocker hackers.
Paying any amount of money to ransomware operators is strongly discouraged. Users could be exposing themselves to additional security risks while funding the next threatening operation of the cybercriminals in the process.