Introduction
On 21 Mar 22, CASA released an advisory on AvosLocker[1]. AvosLocker is a new ransomware and extortion gang appearing on the ransomware scene in late 2021. AvosLocker has been known to target organizations responsible for managing critical infrastructure. The gang’s targets are mostly localized to the US but have been observed globally. AvosLocker follow the continuing trend of ‘professionalization’ of the ransomware crime providing a logo and in some cases a call center to support payment from victims.
As outlined in the advisory AvosLocker have made a significant number of successful attacks by targeting the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers over the last 12 months. AvosLocker intrusions follow similar patterns to other ransomware-based attacks prior to the deployment of the ransomware itself; delivery through malicious web request to vulnerable Microsoft Exchange servers, exploitation of known vulnerabilities, deployment of open-source tools for credential dumping (mimikatz) and data exfiltration (rclone), persistence through the registry and command and control through Cobalt Strike and/or AnyDesk remote administrative software. The AvosLocker group deploy their own ransomware (AvosLocker ransomware) that they claim to be the fastest on the market.
FortiEDR can detect and mitigate the execution of AvosLocker ransomware out of the box through both signature and behavior-based detections. Mitigations provided through FortiEDR prevent execution of AvosLocker ransomware (pre-execution) and blocks malicious behavior it conducts during execution (post-execution). Details of mitigations and blocked behavior are outlined in the article below.
Figure 1. AvosLocker leak page where AvosLocker post details on victims. This webpage also serves as a marketplace for exfiltrated data if victims do not pay the ransom in time. The victim at the top left, for example, has their data available for sale.
Pre-execution detection
FortiEDR integrates machine learning, online sandboxing, and FortiGuard Threat Intelligence in its analysis of executables on a protected endpoint. These integrations can detect execution of know malicious files and unknown but suspicious files prior to their execution. In the case of AvosLocker, FortiGuard tracks new variants of AvosLocker under the following signature names[2]:
W32/Cryptor.OHU!tr.ransom
W32/Filecoder.OHU!tr.ransom
ELF/Encoder.A811!tr.ransom
Linux/Filecoder_AvosLocker.A!tr
The detection of the sample analyzed in this article can be seen as being flagged as W32/Filecoder.OHU!tr.ransom in the classification panel shown in Figure 2.
Post-execution detection
To demonstrate the detection capabilities of FortiEDR against the AvosLocker sample, FortiEDR was moved into ‘Simulation mode’ and the sample was executed. In this mode, behavior is logged but not blocked, however each recorded security events highlights behavior that would be blocked when FortiEDR ‘Protect mode’ is enabled.
As can be seen below in Figure 2, execution of AvosLocker ransomware flags multiple events (6) under the default configuration. The behavior detected and blocked by FortiEDR is explained in greater detail below.
Figure 2. FortiEDR event viewer showing security events generated as a result of AvosLocker ransomware execution.
Common amongst all events is that the AvosLocker sample, in this case named ‘update.exe’, is flagged as malicious. FortiEDR employs machine learning, online sandboxing (including integration with FortiSandbox) and integration with FortiGuard Threat Intelligence to identify known and unknown malicious samples quickly and accurately. As can be seen in the ‘Classification Details panel in Figure 2, FortiEDR has classified the analyzed AvosLocker sample as ‘Filecoder.OHU!tr.ransom’ based on FortiGuard signatures[3].
Clearing Event Logs
Following execution, the AvosLocker sample will attempt to delete all Windows event logs by spawning a PowerShell child process. The PowerShell command used to delete logs is shown below.
powershell –command “Get-EventLog –LogName * | ForEach { Clear-EventLog $_.Log}”
The purpose of this command is likely to inhibit defensive actions by preventing the collection of forensic artifacts from the endpoint following encryption. Given the nature of ransomware, a ransomware infection typically results in many file operations meaning that IR teams would have even further difficulty extracting deleted log files from slack space. See the Threat Hunting section for a threat hunting query you can use to identify this activity.
Delete Volume Shadow Copies
As part of its encryption process AvosLocker attempts to delete the volume shadow copies on an endpoint. This is another common function performed by ransomware as it prevents files from being restored from volume shadow copies during the recovery phase. AvosLocker attempts to do this in two ways; firstly, using wmic.exe and secondly through vssadmin.exe.
In the first way, AvosLocker launches a child process of wmic.exe, a standard Windows binary used for accessing Windows Management Interface (WMI), a Windows subsystem that can be used to access, create, and modify components of the running operating system, to delete all shadow copies on and endpoint. In this case, the process is spawned with the following command-line arguments:
wmic shadowcopy delete /noninteractive
The first attempt was detected by FortiEDR as a security event, as shown below in Figure 3.
Figure 3. FortiEDR detection event associated with AvosLocker sample attempting to delete volume shadow copies using the WMIC service.
Following execution of this command, the AvosLocker ransomware launches a second child process vssadmin.exe. This executable is another standard Windows binary used for the administration of the Volume Shadow copy service on an endpoint. In this case, the process is spawned to delete any shadow copies not deleted using the previous wmic command.
vssadmin.exe Delete Shadows /All /Quiet
Evidence of this behavior can be found through the FortiEDR Threat Hunting feature, as shown below in Figure 4. Note that FortiEDR tags the related behavior with the appropriate MITRE ATT&CK technique which can be directly searched through the Threat Hunting interface.
Figure 4. FortiEDR Threat Hunting interface showing the Process Creation event for the vssadmin process created by AvosLocker to remove remaining volume shadow copies.
File Encryption
FortiEDR flags encryption activity performed by AvosLocker with the ‘File Encryptor’ rule that forms part of the Ransomware Protection security policy. This rule identifies attempts to encrypt files on a target system and prevents the encryption process from occurring. We can see in Figure 5 below that FortiEDR identified the AvosLocker sample attempting to encrypt 2496 files on the victim endpoint.
Figure 5. FortiEDR Stacks view in the forensics panel showing file rename of an encrypted file. Note the large file count for this activity as an event was created for each file encryption and subsequent rename.
AvosLocker also attempts to encrypt files on mounted SMB shares. These abnormal access attempts are flagged by the ‘PUP - Potentially Unwanted Program’ rule in the Exfiltration Prevention security policy. This SMB activity can be observed through the FortiEDR Forensics view as shown below in Figure 6.
Figure 6. Avos Locker attempts to access and encrypt files on mounted SMB shares. Detection of this behavior shown above taken from FortiEDR Stack view.
Ransom Notification
Like most ransomware, AvosLocker drops numerous ransom notes on an affected endpoint notifying endpoint users that their files have been encrypted and outlining the process for purchasing an unlocking tool. In the case of AvosLocker the ransomware note name is ‘GET_YOUR_FILES_BACK.txt’ and a copy is placed in every directory where a file was encrypted. A copy of the ransom note contents is shown below in Figure 7 and the related FortiEDR security event is shown in Figure 2.
Figure 7. AvosLocker ransom note.
Conclusion
As with previously analyzed ransomware families, FortiEDR provides detection and mitigation against current and future variants of the AvosLocker ransomware through both pre and post execution policies. In addition to these standard protections, FortiEDR Threat Hunting also provides access to additional telemetry that can be used to identify TTPs commonly employed by other ransomware variants as part of the encryption process. Some of these Threat Hunting queries, along with queries to identify AvosLocker specific behavior are provided below.
Threat Hunting
File Creation
Identify file creation events for files with encrypted file extension:
Target.File.Ext:("avos" OR "avos2" OR "avoslinux")
Identify AvosLocker ransom note creation events:
Type:("File Creation") AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.File.Name:("GET_YOUR_FILES_BACK.txt")
Process Creation
Identify AvosLocker executable execution (known samples)
Type:("Process Creation") AND Target.Process.File.ThreatName:("Filecoder.OHU!tr.ransom" OR "Cryptor.OHU!tr.ransom" OR "Encoder.A811!tr.ransom" OR "Filecoder_AvosLocker.A!tr")
Identify attempts to delete volume shadow copies with WMIC. Note this in the case of AvosLocker this will return the cmd.exe process creation event and the resulting child wmic.exe process creation event:
Type:("Process Creation") AND Target.Process.Commandline:("shadowcopy delete /noninteractive")
Identify attempts to delete volume shadow copies with vssadmin. Note this in the case of AvosLocker this will return the cmd.exe process creation event and the resulting child vssadmin.exe process creation event:
Type:("Process Creation") AND Target.Process.Commandline:("Delete Shadows /All /Quiet")
Identify attempts to delete Windows Event Logs using the method employed by the AvosLocker sample:
Type:("Process Creation") AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.Process.Commandline:("Get-EventLog -LogName \* \| ForEach \{ Clear-EventLog $_.Log \}")
Identify attempts to modify boot settings to prevent boot recovery and suppress error messages:
Type:"Process Creation" AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.Process.Commandline:"/set \{ default \} bootstatuspolicy ignoreallfailures" OR "/set \{ default \} recoveryenabled No")
MITRE ATT&CK
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.001 |
Indicator Removal on Host: Clear Windows Event Logs |
AvosLocker spawns a PowerShell child process to delete Windows events logs on execution. This prevents logs being used to understand activities leading up to the deployment of ransomware. |
TA0008 – Lateral Movement
|
Technique ID |
Technique Description |
Observed Activity |
|
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
AvosLocker ransomware attempts to encrypt files hosted on mounted SMB shares as well. |
TA0040 – Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
AvosLocker is a variant of ransomware used to encrypt data on an endpoint. AvosLocker encrypts non-system files on a victim endpoint. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1490 |
Inhibit System Recovery |
AvosLocker ransomware attempts to delete all volume shadow copies on a victim endpoint through both the wmic and vssadmin executables. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
|
Malicious Executable |
32bf972e0b352d5455e0336737a504d2819402a4 |
SHA1 Hash |
Impact |
AvosLocker executable. Sample analysed for this article. |
|
Malicious Executable |
5b9f31e618e6ea6329af048fe89cb8130ee20646 |
SHA1 Hash |
Impact |
AvosLocker executable |
|
Malicious Executable |
a85bb2093cb39cea13f586d22e78ac3b5c58d7fb |
SHA1 Hash |
Impact |
AvosLocker executable |
|
Malicious Executable |
e94fd8aaae4b3e423097a896b8c3ada22d0afe08 |
SHA1 Hash |
Impact |
AvosLocker executable |
|
Malicious Executable |
40207f83b601cd60905c1f807ac0889c80dfe33f |
SHA1 Hash |
Impact |
AvosLocker executable |
|
Malicious Executable |
f0776017545d7c5a85de3b15f8cff3171dbf4f43 |
SHA1 Hash |
Impact |
AvosLocker executable |
[1] https://www.ic3.gov/Media/News/2022/220318.pdf
[2] https://fortiguard.fortinet.com/threat-signal-report/4465
