An affiliate of the AvosLocker ransomware group extorts $ 85,000 in bitcoin from a company thanks to a known vulnerability
An affiliate of the AvosLocker ransomware group extorts $ 85,000 in bitcoin from a company thanks to a known vulnerability in FortiGate VPN ( CVE-2018-13379 ). A vulnerability that the American multinational had corrected THANKS TO AN UPDATE released IN NOVEMBER 2019 .
Those who have not updated their systems are a small company that operates in the field of paint sales.
At the end of August it was the servers of a company operating in the field of paint sales that were hit by an AvosLocker affiliate. The ransomware group never made the victim's name public on their blog.
Even if in a passage of the chat the victim writes "... bitcoin payment by end of day today, UK time" , SuspectFile.com is not able at this moment to state with absolute certainty that the company headquarters affected by the cyber attack may reside within the United Kingdom.
A certain fact, however, is that the victim, at a certain point in the chat, writes:
“Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time”.
The conversation between the AvosLocker "staff" and the victim began last September 3 and ended yesterday with the payment of the ransom.
A cyber attack carried out, as already written, not directly by AvosLocker but by its own affiliate. As we could read in the chat, the negotiation was not conducted directly by those who actually attacked the company servers but by a member of the AvosLocker "staff".
In some passages of the chat the victim asks what files are still in their possession, but the AvosLocker "staff" member replies that he was not aware of them and that he would have asked his affiliate. AvosLocker says the files were downloaded to external storage drives, so not managed directly by them.
In the early afternoon of September 3, after a few hours chatting with the "staff", the victim tries to decrypt a file using the service made available by AvosLocker. But something goes wrong, the file is not decrypted.
And the explanation is simple. The online decryption service on the chat page only works with the old version of the ransomware , while in this case the new version of AvosLocker was used to encrypt the data, adding the ".avos2" extension to the files
Those who have not updated their systems are a small company that operates in the field of paint sales.
At the end of August it was the servers of a company operating in the field of paint sales that were hit by an AvosLocker affiliate. The ransomware group never made the victim's name public on their blog.
Even if in a passage of the chat the victim writes "... bitcoin payment by end of day today, UK time" , SuspectFile.com is not able at this moment to state with absolute certainty that the company headquarters affected by the cyber attack may reside within the United Kingdom.
A certain fact, however, is that the victim, at a certain point in the chat, writes:
“Hello Staff, we are working with the broker to do the bitcoin payment by end of day today, UK time”.
The conversation between the AvosLocker "staff" and the victim began last September 3 and ended yesterday with the payment of the ransom.
A cyber attack carried out, as already written, not directly by AvosLocker but by its own affiliate. As we could read in the chat, the negotiation was not conducted directly by those who actually attacked the company servers but by a member of the AvosLocker "staff".
In some passages of the chat the victim asks what files are still in their possession, but the AvosLocker "staff" member replies that he was not aware of them and that he would have asked his affiliate. AvosLocker says the files were downloaded to external storage drives, so not managed directly by them.
In the early afternoon of September 3, after a few hours chatting with the "staff", the victim tries to decrypt a file using the service made available by AvosLocker. But something goes wrong, the file is not decrypted.
And the explanation is simple. The online decryption service on the chat page only works with the old version of the ransomware , while in this case the new version of AvosLocker was used to encrypt the data, adding the ".avos2" extension to the files
