SuspectFile intervista AvosLocker: nuovi dettagli sulla variante avos2

SuspectFile intervista AvosLocker: nuovi dettagli sulla variante avos2 1

In questo articolo racconteremo di AvosLocker uno degli ultimi gruppi ransomware RaaS, aperto alle affiliazioni, che ha già fatto parlare di sé per via di numerosi attacchi informatici messi a segno nonostante i suoi pochi mesi di vita.

Stando ai post pubblicati sul proprio blog, all’interno delle reti Tor, AvosLocker avrebbe violato i server di 15 entità, ma possiamo affermare con certezza che ne esistono diverse altre non ancora apparse fra le pagine del proprio sito web.

Per AvosLocker non esiste alcuna differenza riguardo la scelta degli obiettivi da raggiungere, visto che non hanno avuto alcuna remora nel colpire Istituzioni ospedaliere e governative. Un’altra caratteristica familiare con diversi altri gruppi di cybercriminali è quella di non colpire Stati dell’area CIS e Paesi del post-Unione Sovietica, anche se SuspectFile non ritiene AvosLocker appartenente di quell’area.

Dalle ultime settimane, come abbiamo già descritto in questo nostro articolo raccontando il caso di una delle ultime vittime, AvosLocker è operativo con una nuova variante del proprio ransomware: Avos2

AvosLocker descrive questa nuova variante come una fra le più veloci nel crittare i dati, ma SuspectFile non ha modo di verificare la reale velocità in modo indipendente.

AvosLocker entra ufficialmente a far parte della lunga schiera di cybercriminali l’1 gennaio 2021 quando pubblica il primo post su una pagina del proprio blog.

SuspectFile intervista AvosLocker: nuovi dettagli sulla variante avos2 2

In questi giorni SuspectFile ha avuto modo di interagire con un membro del gruppo ponendogli delle domande, non a tutte è stata voluta dare una risposta. Alcune di queste, secondo AvosLocker, avrebbero potuto violare la propria sicurezza operativa
“… some of them would breach OPSEC”

Da quanto abbiamo potuto capire AvosLocker tiene molto alla propria immagine e reputazione e crediamo, almeno da ciò che abbiamo letto di recente all’interno di una chat fra una vittima, un affiliato e un membro dello “staff” AvosLocker, che la condotta tenuta dal gruppo ransomware nel concludere “l’affare” (illegale) sia stata professionale.

Le nostre probabilmente sono parole forti e fuori luogo e che troveranno certamente il disappunto di ricercatori e operatori di polizia visto che si sta comunque parlando di cybercriminali.

Non è nostra intenzione assolutamente lodare o condividere questo comportamento criminoso, ma scriverlo era necessario non fosse altro per le centinaia di chat fra “vittime e carnefici” lette in questi ultimi due anni dove la vittima oltre a essere derubata veniva in molti casi anche derisa, ciò che non è successo con AvosLocker.

Di seguito la nostra intervista al gruppo ransomware AvosLocker

Q: How much time did you spend choosing your name, and Avos is a Russian word (“авось”) which basically means “hope, trust in something”?
A: [No response]

Q: What does the “blue beetle” logo of your Group mean to you?
A: [No response]

Q: Your Group was first noticed by researchers last June. Is it correct to say this or did your business start before this period?
A: [No response]

Q: In the recent past some well-known ransomware groups have disbanded for various reasons, including disagreement with a Group’s “guidelines” or because “they felt the breath of the police on their necks”. Was AvosLocker born from the dissolution of other groups?
A: Absolutely.

Q: AvosLocker is a ransomware as a service (RaaS) which offers the affiliate service for its expansion. Don’t you think that, as has already happened for other groups, affiliation can be something unreliable, a weapon that can backfire on you like a boomerang?
A: Affiliates were included in our threat model.

Q: could read a chat between a recent victim of your affiliate andyour direct operator. Some communication problems emerged during the negotiation. The victim asked for concrete evidence of the data breach and a complete list of the directories attacked, but the operator could not answer because all the data was in the hands of the affiliate. Don’t you think these situations can undermine your credibility in terms of trust?
A: AvosLocker, being the guarantor/escrow, receives the payment on behalf of the affiliate and pays the affiliate AFTER confirming data erasure on behalf of the corporation.
The affiliates, the groups that are actually doing the attacks, will always persist and they will always use one RaaS or the other. Our value, for the corporations involved, is that we’ll be fair to both parties.

Q: You started your business with a variant of the ransomware that added the .avos extension to files after encryption.
As we know you have evolved with a new encryption model much faster than the first one called .avos2 capable of encrypting data at a speed of 400 MB / s, from the data in our possession we currently believe it is the fastest when compared with that of other ransomware groups.
What further details can you give us about .avos2?
A: We’ve analyzed samples from known & credible groups, after a careful examination of their strategies (encryption algorithms, hardware acceleration,async/sync io,threading) we’ve changed everything in our core, hence why the variant has a different extension: it’s not backwards-compatible.
Avos2 has a perfect selection of ciphers, fast & reliable encryption algorithms and it uses IOCP for threading. 400 MB/S figure, by itself, doesn’t really mean much since these figures depend on the hardware, heavily.
Compared to Lockbit 2.0 & Blackmatter, I can tell you that we are about three times faster than Blackmatter and we are about the same with Lockbit 2.0, with only slight differences based on hardware used on the underlying system.

Q: In terms of time, how long does it normally take to implement a new code
and therefore a new variant of your ransomware?
A: We’ve been relatively fast compared to other groups in building new infrastructure and software overall.

Q: How do you approach other RaaS groups, is there something your Group does not share in their way of acting?
A: [No response]

Q: Being “in the center of attention” by the police force for a ransomware group is never a good thing, the attack on the Colonial Pipeline or against Kaseya is proof of that. But there is a moment when you thought “this is an important goal, it doesn’t matter if we will have the spotlight on” ?.
A: [No response]

Q: Between 2020 and mid-2021 there was a significant increase in attacks against Health and Educational Institutions, we cite only two as an example: Universal Health Services (UHS) which would have caused the Health Institution a loss close to 70M $ and Blackbaud which involved at least 8M of certified people and 466 Educational Institutions in the world.
In your opinion, the only cause / effect is to be found in the Covid-19 epidemic and the consequent reshaping in the way of working, “smart working”?
A: It is a factor.

Q: Does AvosLocker have a moral code that prohibits it from attacking such institutions?
A: [No response]

Q: As with some Ransomware Groups, do you or your affiliates also rely on the language of the operating system or do you or your affiliates make your choice based on the language of the operating system or does it matter to you the nationality of the victim?
A: We allow our affiliates to attack anywhere but CIS, post-Soviet Union countries.

Q: It is a fact that most companies in any industry invest little or nothing in their IT security. But beyond that, what are the major shortcomings on which companies should intervene?
A: Lack of insurance is a big one.

Q: Do you, like some other groups, think that some IT security companies to which companies entrust the task of “negotiator” eventually make an agreement with the Ransomware Group secretly and for a fee?
A: Definitely.

Q: What reasons, if any, besides money, have motivated you to choose this path in your life?
A: [No response]

Q: We can’t think of you in front of an H24 monitor. How do you spend your
day when you decide “I dedicate this day to me and my family”?
A: [No response]