SpearTip | July 27th, 2021

Officials reported Monday that Geneva, a small city in Ohio, was the victim of a data breach involving a new type of ransomware called AvosLocker.

The information was revealed after files stolen from the city’s servers were discovered on a leak website run by the AvosLocker ransomware group, which began posting data taken from its targets in early June. The FBI and Cybersecurity and Infrastructure Security Agency were notified by the city, which has a population of 6,200 people. Geneva is at least the 45th U.S. local government to be attacked by ransomware in 2021.

AvosLocker, like most extortion malware, uses a network of affiliates to provide ransomware-as-a-service. The Geneva attack was attributed to “one of our partners,” according to the leak website. AvosLocker, according to Recorded Future analyst Allan Liska, is “really new and have mostly hit relatively small targets so far.” It has infected a few law firms and logistics corporations in Europe and the United States, in addition to Geneva.

The AvosLocker site displayed a sample of the stolen data, including file directories, court records, and a tax return with Social Security numbers and threatened to expose everything if the city refused to bargain.  In May, another ransomware group exposed dozens of Washington, D.C. police officer’s personnel information when its demands were not met.

AvosLocker runs manually by threat actors who access the machine remotely. It then scans for any accessible drives before beginning the encryption process.

AvosLocker evades detection with obfuscation of the code but during execution, the logs of the actions being performed can be observed by the threat actor. AvosLocker collects a list of processes that may block access and terminates them before encryption.

As new types of ransomware emerge into the threat landscape, staying up to date with them is crucial for your organization’s protection. The average IT team isn’t always equipped or technical enough to deal with these threats, so that’s why it’s important to incorporate a security team like SpearTip to continuously monitor you networks.

We offer pre-breach advisory services to help your organization understand where your weak points are located. In addition to our pre-breach services, our Security Operations Center as a Service operates 24/7 and gives your organization the ability to contact our engineers at any moment while they’re constantly monitoring your network. We believe in a 24/7 shop because threat actors don’t sleep. In fact, they’ll look to target your business at times when you wouldn’t normally be there like holidays or the weekends.

Our 24/7 Incident Response team works in conjunction with our ShadowSpear platform to detect threats early and stop them in their tracks.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.