avco3

[Content by Gemini 2.5]

Ransomware Profile: avco3 – What You Need to Know Right Now

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The strain appends .avco3 (exactly five lower-case characters – the digit is “3”, not “o”).

  • Renaming Convention: Targets keep their original file names but receive a chained suffix:
    OriginalFile.ext.id-XXXXXXXX.[[email protected]].avco3

    id-XXXXXXXX is a random 8-hex-digit victim identifier
    • Email inside brackets is the negotiator mailbox. If the campaign runs with several affiliates at once, the bracketed alias varies (e.g., [email protected]) but the outer .avco3 extension remains constant.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First large-scale sightings occurred in late November 2023 when several MSPs and small healthcare providers in the U.S. and Germany reported over-night mass encryption. By early January 2024 it had become one of the top-five off-the-shelf payloads advertised on dark-web “Ransomware-as-a-Service (RaaS)” panels linked to Phobos/FAUST family infrastructures.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP Brute Force & Stolen Credentials – Rather than spreading worms like Petya, avco3 teams prefer manual post-compromise scripts pushed via compromised Domain Admin accounts.
  2. Exploit Kits / Remote Code Execution – Windows-based Remote Monitoring & Management (RMM) tools lacking 2FA are a recurring entry: AnyDesk, ScreenConnect, Atera, and older versions of N-able SolarWinds RMM.
  3. Malicious Email Attachments – While not dominant, zipped .js dropper documents with LNK shortcuts have been seen.
  4. System & Backup Attacks – Once inside, avco3 installs a service that:
    • Disables Windows Defender via Set-MpPreference PowerShell calls
    • Employs vssadmin delete shadows /all /quiet
    • Uses wevtutil cl System to clear logs for cover

Remediation & Recovery Strategies

1. Prevention

  • Immediate Controls
    Disable RDP exposure on TCP/3389 at the firewall; enforce VPN-only access.
    • Enforce Mandatory 2FA for any remote-support tool (AnyDesk, ConnectWise, etc.).
    • Apply Microsoft KB updates that patch common domain-escalation flaws: KB5027231 (April 2023), KB5026361 (May 2023) and KB5004442 (SMb server hardening).
    • Deploy Application allow-listing (WDAC/AppLocker) blocking wscript.exe, cscript.exe, PowerShell.exe unless explicitly allowed.
    • Segment backups completely: immutable S3-Object Lock, Veeam Hardened Repositories, or air-gapped tape.

2. Removal (Step-by-Step Disinfection)

  1. Isolate – Remove the infected machine from the network; power-off cloud replicas connected via site-to-site VPN.
  2. Boot into Windows Safe Mode with Networking (or WinRE if Safe Mode fails).
  3. Kill malicious services:
  • Open “Task Manager ➞ Details,” locate any suspicious svhostvr.exe or random-named *.exe under %APPDATA%\Microsoft\. End tasks.
  1. Delete persistence artifacts:
  • Registry run keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “V2st”
  • Scheduled tasks:
    C:\Windows\System32\Tasks\Microsoft\Windows\PowerShell\ScheduledJobs\BrowserUpdate
  1. Remove binaries:
    – Look in %SystemDrive%\Users[username]\AppData\Local\Temp and %LOCALAPPDATA%\Temp\.
  2. Manual AV/EDR scan: ESET Online Scanner, Malwarebytes (offline definition), or your standard EDR in “aggressive” mode.
  3. Restore user profiles / reinstall OS only if scans still flag kernel tampering.

3. File Decryption & Recovery

  • Recovery feasibility to date:
    No public decryptor exists for the hybrid ChaCha20 + RSA-2048 encryption scheme used by avco3’s fork of Phobos.
    • Victims should avoid paying unless the legal/regulatory need for immediate uptime outweighs the likelihood of non-receipt of decryptor.
    Validated paths to recovery:
    1. Verified offline backups with integrity-tested chain-of-custody.
    2. Volume shadow copy remnants may survive if the ransomware service failed to run (check with ShadowExplorer or vssadmin list shadows).
    3. Windows Previous Versions or restore points if the attacker focused only on %userprofile% paths.
      • Tools for integrity verification:
      – IREC (ImmuniSec Ransomware Entropy Checker) to locate clean vs encrypted files.
      Phobos Decryptor Comparer (proof-of-existence) – simply drops the ransom note (info.hta) to confirm the exact strain for insurance reporting.

4. Other Critical Information

  • Unique Characteristics
    Credential Dumper Suite: Along with avco3 DDoS (for noise), the payload drops Mimikatz fork, ProcDump for LSASS dump, and rclone.exe for mass exfiltration to Mega.io, making a double extortion playbook likely.
    Chain-of-Trust Bypass: avco3 whitelists itself inside Windows Defender SmartScreen using an injected fake Microsoft certificate; many endpoint telemetry products will show a “Signed, Trusted” status until definition DB 1.397.172 (released 08-Jan-2024) is applied.
    Lock-screen drop for embedded money counter: If the workstation has an NFC reader (e.g., hospital bedside terminals), it briefly locks the screen with a payment QR code directing users to scan their phone wallet—first observed in medical devices.

  • Wider Impact & Notable Cases
    – In December 2023 a 72-bed critical-access hospital in Pennsylvania paid USD 450 k after catastrophic EHR paralysis; an MSSP later found 15 TB of PII exfiltrated.
    – Brazilian law firm Nascimento & Amaral became public breach #4 after Twitter researchers spotted credentials for their SharePoint from avco3 operators’ Telegram channel (“#Dumps24h”).
    – The cyber-insurance arm of Hiscox added avco3 to high-risk MRSP effective 1 Feb 2024, increasing renewal premiums by 22 %.

Stay vigilant, patch aggressively, keep reliable offline backups, and engage law enforcement before paying any ransom.