AvosLocker ransomware gang to auction the data of victims who don’t pay
Image: The Record
Catalin Cimpanu October 4, 2021

AvosLocker ransomware gang to auction the data of victims who don’t pay

AvosLocker ransomware gang to auction the data of victims who don’t pay

The operators of the AvosLocker ransomware gang have updated their website to create a system through which they plan to auction off the data of hacked companies that refuse to pay ransom demands.

The AvosLocker gang’s site —updated two weeks ago— introduces a twist on the classic ransomware double-extortion scheme.

What is the double-extortion scheme?

The double-extortion tactic was first utilized by the Maze ransomware gang in late 2019 when the group began stealing files from hacked companies before encrypting their files. If the victim did not want to pay the hacker’s ransom and receive the decryption key, the attackers would threaten to release sensitive files online, on the dark web, via so-called “leak sites.” While the tactic was initially used by the Maze gang, it was broadly adopted by most other gangs, and today, almost all new ransomware operations use a leak site as a way to intimidate and shame victims that refused to give in.

First spotted in July 2021, AvosLocker also utilized this well-established scheme and, through the summer, released data from several victims that refused to pay or engage following their attacks.

But in mid-September, the group launched a redesigned version of their site that, besides adding a dark mode, also added the new auction feature.

Now, instead of dumping the victim’s data online for free, the AvosLocker gang is auctioning this information in a “clever” attempt to generate some sort of profit from what would normally equate to a failed attack.

The use of an auction feature is a clever move from the AvosLocker gang, since, through the past year, data released for free by ransomware gangs has often been re-sold on Telegram channels and underground cybercrime forums.

However, AvosLocker is not the first gang to add an auction feature to their site, and the update was most likely inspired by the REvil ransomware gang, which was the first to use such a feature back in June 2020.

The good news is that despite the clever feature, the AvosLocker gang is not one of today’s top or most active ransomware groups, with fewer than 10 attacks carried out per week, according to data provided by the ID-Ransomware service.

AvosLocker-IDR

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.