FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
mrobson
Staff
Staff

 

Description

 

On 21 Mar 22, CASA released an advisory on AvosLocker[1]. AvosLocker is a new ransomware and extortion gang appearing on the ransomware scene in late 2021. AvosLocker has been known to target organizations responsible for managing critical infrastructure. The gang’s targets are mostly localized to the US but have been observed globally. AvosLocker follow the continuing trend of ‘professionalization’ of the ransomware crime providing a logo and in some cases a call center to support payment from victims.

 

As outlined in the advisory AvosLocker have made a significant number of successful attacks by targeting the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers over the last 12 months. AvosLocker intrusions follow similar patterns to other ransomware-based attacks prior to the deployment of the ransomware itself; delivery through malicious web request to vulnerable Microsoft Exchange servers, exploitation of known vulnerabilities, deployment of open-source tools for credential dumping (mimikatz) and data exfiltration (rclone), persistence through the registry and command and control through Cobalt Strike and/or AnyDesk remote administrative software. The AvosLocker group deploy their own ransomware (AvosLocker ransomware) that they claim to be the fastest on the market.

 

FortiEDR can detect and mitigate the execution of AvosLocker ransomware out of the box through both signature and behavior-based detections. Mitigations provided through FortiEDR prevent execution of AvosLocker ransomware (pre-execution) and blocks malicious behavior it conducts during execution (post-execution). Details of mitigations and blocked behavior are outlined in the article below.

 

 

Fig1.png

 

Figure 1. AvosLocker leak page where AvosLocker post details on victims. This webpage also serves as a marketplace for exfiltrated data if victims do not pay the ransom in time. The victim at the top left, for example, has their data available for sale.

 

Pre-execution detection

FortiEDR integrates machine learning, online sandboxing, and FortiGuard Threat Intelligence in its analysis of executables on a protected endpoint. These integrations can detect execution of know malicious files and unknown but suspicious files prior to their execution. In the case of AvosLocker, FortiGuard tracks new variants of AvosLocker under the following signature names[2]:

 

W32/Cryptor.OHU!tr.ransom

W32/Filecoder.OHU!tr.ransom

ELF/Encoder.A811!tr.ransom

Linux/Filecoder_AvosLocker.A!tr

 

The detection of the sample analyzed in this article can be seen as being flagged as W32/Filecoder.OHU!tr.ransom in the classification panel shown in Figure 2.

 

 

Post-execution detection

To demonstrate the detection capabilities of FortiEDR against the AvosLocker sample, FortiEDR was moved into ‘Simulation mode’ and the sample was executed. In this mode, behavior is logged but not blocked, however each recorded security events highlights behavior that would be blocked when FortiEDR ‘Protect mode’ is enabled.

 

As can be seen below in Figure 2, execution of AvosLocker ransomware flags multiple events (6) under the default configuration. The behavior detected and blocked by FortiEDR is explained in greater detail below.

 

 

Fig2.png

 

Figure 2. FortiEDR event viewer showing security events generated as a result of AvosLocker ransomware execution.

 

Common amongst all events is that the AvosLocker sample, in this case named ‘update.exe’, is flagged as malicious. FortiEDR employs machine learning, online sandboxing (including integration with FortiSandbox) and integration with FortiGuard Threat Intelligence to identify known and unknown malicious samples quickly and accurately. As can be seen in the ‘Classification Details panel in Figure 2, FortiEDR has classified the analyzed AvosLocker sample as ‘Filecoder.OHU!tr.ransom’ based on FortiGuard signatures[3].

 

Clearing Event Logs

 

Following execution, the AvosLocker sample will attempt to delete all Windows event logs by spawning a PowerShell child process. The PowerShell command used to delete logs is shown below.

 

                powershell –command “Get-EventLog –LogName * | ForEach { Clear-EventLog $_.Log}”

 

The purpose of this command is likely to inhibit defensive actions by preventing the collection of forensic artifacts from the endpoint following encryption. Given the nature of ransomware, a ransomware infection typically results in many file operations meaning that IR teams would have even further difficulty extracting deleted log files from slack space. See the Threat Hunting section for a threat hunting query you can use to identify this activity.

 

Delete Volume Shadow Copies

 

As part of its encryption process AvosLocker attempts to delete the volume shadow copies on an endpoint. This is another common function performed by ransomware as it prevents files from being restored from volume shadow copies during the recovery phase. AvosLocker attempts to do this in two ways; firstly, using wmic.exe and secondly through vssadmin.exe.

 

In the first way, AvosLocker launches a child process of wmic.exe, a standard Windows binary used for accessing Windows Management Interface (WMI), a Windows subsystem that can be used to access, create, and modify components of the running operating system, to delete all shadow copies on and endpoint. In this case, the process is spawned with the following command-line arguments:

                wmic shadowcopy delete /noninteractive

 

The first attempt was detected by FortiEDR as a security event, as shown below in Figure 3.

 

Fig3.png

 

Figure 3. FortiEDR detection event associated with AvosLocker sample attempting to delete volume shadow copies using the WMIC service.

 

Following execution of this command, the AvosLocker ransomware launches a second child process vssadmin.exe. This executable is another standard Windows binary used for the administration of the Volume Shadow copy service on an endpoint. In this case, the process is spawned to delete any shadow copies not deleted using the previous wmic command.

 

                vssadmin.exe Delete Shadows /All /Quiet

 

Evidence of this behavior can be found through the FortiEDR Threat Hunting feature, as shown below in Figure 4. Note that FortiEDR tags the related behavior with the appropriate MITRE ATT&CK technique which can be directly searched through the Threat Hunting interface.

 

Fig4.png

 

Figure 4. FortiEDR Threat Hunting interface showing the Process Creation event for the vssadmin process created by AvosLocker to remove remaining volume shadow copies.

 

File Encryption

 

FortiEDR flags encryption activity performed by AvosLocker with the ‘File Encryptor’ rule that forms part of the Ransomware Protection security policy. This rule identifies attempts to encrypt files on a target system and prevents the encryption process from occurring. We can see in Figure 5 below that FortiEDR identified the AvosLocker sample attempting to encrypt 2496 files on the victim endpoint.

 

 

Fig5.png

 

Figure 5. FortiEDR Stacks view in the forensics panel showing file rename of an encrypted file. Note the large file count for this activity as an event was created for each file encryption and subsequent rename.

 

AvosLocker also attempts to encrypt files on mounted SMB shares. These abnormal access attempts are flagged by the ‘PUP - Potentially Unwanted Program’ rule in the Exfiltration Prevention security policy. This SMB activity can be observed through the FortiEDR Forensics view as shown below in Figure 6.

 

Fig6.png

 

Figure 6. Avos Locker attempts to access and encrypt files on mounted SMB shares. Detection of this behavior shown above taken from FortiEDR Stack view.

 

Ransom Notification

Like most ransomware, AvosLocker drops numerous ransom notes on an affected endpoint notifying endpoint users that their files have been encrypted and outlining the process for purchasing an unlocking tool. In the case of AvosLocker the ransomware note name is ‘GET_YOUR_FILES_BACK.txt’ and a copy is placed in every directory where a file was encrypted. A copy of the ransom note contents is shown below in Figure 7 and the related FortiEDR security event is shown in Figure 2.

 

 

Fig7.png

 

Figure 7. AvosLocker ransom note.

 

Conclusion

As with previously analyzed ransomware families, FortiEDR provides detection and mitigation against current and future variants of the AvosLocker ransomware through both pre and post execution policies. In addition to these standard protections, FortiEDR Threat Hunting also provides access to additional telemetry that can be used to identify TTPs commonly employed by other ransomware variants as part of the encryption process. Some of these Threat Hunting queries, along with queries to identify AvosLocker specific behavior are provided below.

 

Threat Hunting

File Creation

Identify file creation events for files with encrypted file extension:

 

Target.File.Ext:("avos" OR "avos2" OR "avoslinux")

Identify AvosLocker ransom note creation events:

 

Type:("File Creation") AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.File.Name:("GET_YOUR_FILES_BACK.txt")

 

Process Creation

Identify AvosLocker executable execution (known samples)

Type:("Process Creation") AND Target.Process.File.ThreatName:("Filecoder.OHU!tr.ransom" OR "Cryptor.OHU!tr.ransom" OR "Encoder.A811!tr.ransom" OR "Filecoder_AvosLocker.A!tr")

 

Identify attempts to delete volume shadow copies with WMIC. Note this in the case of AvosLocker this will return the cmd.exe process creation event and the resulting child wmic.exe process creation event:

 

Type:("Process Creation") AND Target.Process.Commandline:("shadowcopy delete /noninteractive")

 

Identify attempts to delete volume shadow copies with vssadmin. Note this in the case of AvosLocker this will return the cmd.exe process creation event and the resulting child vssadmin.exe process creation event:

 

Type:("Process Creation") AND Target.Process.Commandline:("Delete Shadows /All /Quiet")

 

Identify attempts to delete Windows Event Logs using the method employed by the AvosLocker sample:

 

Type:("Process Creation") AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.Process.Commandline:("Get-EventLog -LogName \* \| ForEach \{ Clear-EventLog $_.Log \}")

 

Identify attempts to modify boot settings to prevent boot recovery and suppress error messages:

 

Type:"Process Creation" AND Source.Process.File.Reputation:("ReputationMalware" OR "ReputationUnknown") AND Target.Process.Commandline:"/set \{ default \} bootstatuspolicy ignoreallfailures" OR "/set \{ default \} recoveryenabled No")

 

MITRE ATT&CK

TA0005 – Defense Evasion

 Technique ID

Technique Description

Observed Activity

T1070.001

Indicator Removal on Host: Clear Windows Event Logs

AvosLocker spawns a PowerShell child process to delete Windows events logs on execution. This prevents logs being used to understand activities leading up to the deployment of ransomware.

 

TA0008 – Lateral Movement

 Technique ID

Technique Description

Observed Activity

T1021.002

Remote Services: SMB/Windows Admin Shares

AvosLocker ransomware attempts to encrypt files hosted on mounted SMB shares as well.

 

TA0040 – Impact

 Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

AvosLocker is a variant of ransomware used to encrypt data on an endpoint. AvosLocker encrypts non-system files on a victim endpoint.

 

 Technique ID

Technique Description

Observed Activity

T1490

Inhibit System Recovery

AvosLocker ransomware attempts to delete all volume shadow copies on a victim endpoint through both the wmic and vssadmin executables.

 

 

IOCs

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Malicious Executable

32bf972e0b352d5455e0336737a504d2819402a4

SHA1 Hash

Impact

AvosLocker executable. Sample analysed for this article.

Malicious Executable

5b9f31e618e6ea6329af048fe89cb8130ee20646

SHA1 Hash

Impact

AvosLocker executable

Malicious Executable

a85bb2093cb39cea13f586d22e78ac3b5c58d7fb

SHA1 Hash

Impact

AvosLocker executable

Malicious Executable

e94fd8aaae4b3e423097a896b8c3ada22d0afe08

SHA1 Hash

Impact

AvosLocker executable

Malicious Executable

40207f83b601cd60905c1f807ac0889c80dfe33f

SHA1 Hash

Impact

AvosLocker executable

Malicious Executable

f0776017545d7c5a85de3b15f8cff3171dbf4f43

SHA1 Hash

Impact

AvosLocker executable

 

 

[1] https://www.ic3.gov/Media/News/2022/220318.pdf

[2] https://fortiguard.fortinet.com/threat-signal-report/4465

[3] https://www.fortiguard.com/encyclopedia/virus/10044273

Contributors