AvosLocker – A new tool of the digital hostage-takers

AvosLocker is a new ransomware variant and has been active since June 2021. It encrypts files so that they can no longer be opened or read and affects Windows systems. Typical of ransomware attacks is the subsequent demand for a ransom – in the case of AvosLocker, a payment for decrypting the files.

"Ransomware attacks are no longer simply a profitable tool of organised crime. Their serious effects can be compared to targeted acts of sabotage. Entire ecosystems of services and platforms are forming around ransomware. The impact: it can hit anyone, anywhere."

This drastic assessment of the situation from Arne Schönbohm, the Federal Office for Information Security president, was published in the German IT Security Situation Report. One particular form of this "hostage-taking software"(ransomware) is the AvosLocker virus.

This ransomware variant encrypts data on the attacked system, with the affected data receiving a ".avos" extension in its file name. For example, the file quarterlyreport.xlsx becomes quarterlyreport.xlsx.avos. This makes the content inaccessible. AvosLocker uses two strong encryption algorithms: AES – to encrypt data and RSA – to encrypt generated AES keys. This is a common combination used by many ransomware variants and guarantees strong encryption.

In each infected folder, there is then another file called GET_YOUR_FILES_BACK.txt. In this text file, the attackers indicate that the data has been encrypted with an AES (Advanced Encryption Standard) key. They advise not to shut down the computer during the encryption process, as data could otherwise be damaged. What follows is a request that payment must be more for decryption with a link to an onion website. The website has different content: the names of the last people attacked and proof of the stolen data are published on the leak site. Those affected can access their individual area by entering an ID, which can also be found in the text file. In addition to the repeated note that buying decryption is the only way to get the data back, those affected will find concrete details and demands there. A note mentions what data is involved, for example, national insurance numbers, financial documents, etc. The data is often threatened at this point. This is often followed by a threat that the data will be made public if there is no cooperation. Furthermore, a countdown on the website shows the current price and the remaining time for cooperation. A test decryption is also offered: those attacked can upload an encrypted file as a test to verify that it can be successfully decrypted. A support module allows interaction with a support bot for further questions.

Once criminals have taken a victim’s data hostage and demanded a ransom, it is usually too late. Decryption without contacting the attacker is almost impossible. Nevertheless, it is advised not to communicate with the attackers or pay the ransom. There is no guarantee that the cybercriminals will release the data after payment.

There are two ways that AvosLocker makes its way onto a computer to hijack data: email spam and Trojans. Often, careless users are tricked into opening attachments containing the Avos encrypter by email. There are no limits to the creativity used here. Whether it be a supposed holiday picture, an invoice or a notification for a parcel, as soon as the file is opened, the encryption of the data begins.

Trojans, which can be used to install the Avos encryption, also use clever and deceptive methods to make their way onto computers. For example, installation files disguised as updates for your browser (and other similar programs) are available on the Internet. If you download and execute these "updates", AvosLocker encrypts the victim's data, and the cybercriminals extort a ransom.

Ransomware attacks are a major threat to businesses and individuals. In addition to the risk of losing valuable data, an attack usually means financial loss, a drop in productivity and a loss of trust among customers. Once AvosLocker has encrypted a system, the cards are stacked against you. AvosLocker must be removed from the operating system, but this does not restore the encrypted data. The only solution is to restore the data from a backup.

To prevent criminals from accessing your systems and stealing data, you must exercise care. Create regular backups stored in different locations – i.e. on other servers or disconnected storage media – and regularly test restoring them. Always keep your software up to date. Reduce your attack surface by removing unused or unimportant programs. Use strong passwords and multi-factor authentication. And most importantly, regularly educate your employees on how to deal with suspicious emails and rogue updates. To measure the resilience of your employees to such attacks and, if necessary, make targeted improvements, you can use the Increase Your Skills Phishing Attack Simulator. This tool allows you to measure how your employees react to phishing attacks, conducted in a safe environment. After all, in an actual attack, it only takes a single mistake for a company to fall into the hands of these digital hostage-takers.