SentinelOne Vs. AvosLocker – Mitigation and Rollback

See how SentinelOne mitigates and rolls back AvosLocker. AvosLocker emerged in June 2021 as a new RaaS (Ransomware As A Service) operator. They initially advertised their services on several well-known ‘underground’ crime forums. They also used this avenue to recruit additional team members and Initial Access Brokers.

Early-analyzed (wild) samples do little to hide their activity, requiring manual interaction and displaying (sometimes multiple) visible command windows. Some later samples have expanded basic functionality and allowed for cmd-line arguments to be passed to either hide the CMD windows or exclude encryption of network resources (mapped drives / accessible shares).

With the RaaS service, AvosLocker launched a TOR-based blog site to publicize and track non-compliant victims and their looted data. Since the launch, they have leaked data on 6 victims, including Government entities, Logistics, and Legal targets as well.

Encryption is handled via a combination of RSA (encryption of directly-generated AES keys) and AES for actual encryption of files. File availability for encryption is determined solely by the file extensions.

#ransomware #cybersecurity #infosec #malware #avoslocker