update based on ransomlook

clusters/ransomware.json

@@ -24910,7 +24910,37 @@
       "value": "Luna Ransomware"
     },
     {
-      "description": "Ransomware",
+      "description": "In March 2022, the FBI and the U.S. Treasury Financial Crimes Enforcement Network released a joint advisory addressing AvosLocker and their activity targeting organizations across several critical infrastructure sectors. The RaaS gang deploys ransomware onto their victim’s networks and systems, then threatens to leak their files on the dark web if they don’t pay up. AvosLocker is both the name of the RaaS gang, as well as the name of the ransomware itself.\n\nIn May 2022, AvosLocker took responsibility for attacking and stealing data from the Texas-based healthcare organization, CHRISTUS Health. CHRISTUS Health runs hundreds of healthcare facilities across Mexico, the U.S., and South America. The group stole information from a cancer patient registry which included names, social security numbers, diagnoses, dates of birth, and other medical information. The nonprofit Catholic health system has more than 600 healthcare facilities in Texas, Louisiana, New Mexico, and Arkansas. There are also facilities in Columbia, Mexico, and Chile.\n\nFortunately, the ransomware attack was quickly identified and was limited. While other healthcare organizations have not been as fortunate with ransomware attacks, the AvosLocker attack didn’t impact CHRISTUS Health’s patient care or clinical operations. CHRISTUS Health didn’t reveal whether or not the security incident included ransomware, data exfiltration or extortion, but due to AvosLocker’s reputation, it is more than likely that the incident included at least one of the three.",
+      "meta": {
+        "links": [
+          " http://avos2fuj6olp6x36.onion",
+          "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion",
+          "http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion"
+        ],
+        "ransomnotes": [
+          "AvosLocker\n\nAttention!\nYour systems have been encrypted, and your confidential documents were downloaded.\nIn order to restore your data, you must pay for the decryption key & application.\nYou may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion.\nThis is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/\nDetails such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.\nContact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly.\nThe corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion"
+        ],
+        "ransomnotes-filenames": [
+          "GET_YOUR_FILES_BACK.TXT"
+        ],
+        "ransomnotes-refs": [
+          "https://blog.talosintelligence.com/content/images/AVvXsEhKEpexiVYKoELvESd2mP0ZXLbQYgWcVJaE5VB9--yD3vS6FTVNfNbPkAHtJp3KjN1ANKVLa4zWvuEFN68QaepAj_xF3j9TrzqUMoOwvQXx_zIOH9Ar31JgWYX4mlpUIPLaLi76aWawvifF56qKZ1mgXncCRwAmu_fjqmD_PTWu_84E_uTqnW2qZIPM/s16000/image4.png"
+        ],
+        "refs": [
+          "https://www.avertium.com/resources/threat-reports/in-depth-look-at-avoslocker-ransomware",
+          "https://unit42.paloaltonetworks.com/atoms/avoslocker-ransomware/",
+          "https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update",
+          "https://www.picussecurity.com/resource/avos-locker-ransomware-group",
+          "https://brandefense.io/blog/ransomware/in-depth-analysis-of-avoslocker-ransomware/",
+          "https://blog.talosintelligence.com/avoslocker-new-arsenal/",
+          "https://www.techrepublic.com/article/avos-ransomware-updates-attack/",
+          "https://www.tripwire.com/state-of-security/avoslocker-ransomware-what-you-need-to-know",
+          "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker"
+        ],
+        "synonyms": [
+          "Avos"
+        ]
+      },
       "uuid": "73d3d8f8-83cc-4fdc-a645-d03b9a7b5a9b",
       "value": "AvosLocker"
     },
@@ -25085,7 +25115,86 @@
       },
       "uuid": "a322f03f-4bc8-455f-b302-e8724c46f80c",
       "value": "Atomsilo"
+    },
+    {
+      "description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.",
+      "meta": {
+        "links": [
+          " http://avaddongun7rngel.onion "
+        ],
+        "refs": [
+          "https://heimdalsecurity.com/blog/avaddon-ransomware/",
+          "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis"
+        ]
+      },
+      "uuid": "fdfbe721-abd1-4760-8e52-f23306f6cb80",
+      "value": "Avaddon"
+    },
+    {
+      "meta": {
+        "links": [
+          "http://avos2fuj6olp6x36.onion"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "77ea508a-12a4-454e-9b7a-28f9f9a00821",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "ba42ab03-9d29-40c3-b3d4-c2045e47dc07",
+      "value": "Avos"
+    },
+    {
+      "description": "Avos is a ransomware group that was first identified in 2021, initially targeting Windows machines, more recently now, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Avos has been active since June 2021 and follows the RaaS model, an affiliate program to recruit potential partners. The announcement of the program includes information about features of the ransomware and lets affiliates know that AvosLocker operators will take care of negotiation and extortion practices. The user “Avos” has also been observed trying to recruit individuals on the Russian forum XSS.",
+      "meta": {
+        "links": [
+          "http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion/",
+          "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion "
+        ],
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker",
+          "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+          "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen",
+          "https://www.ic3.gov/Media/News/2022/220318.pdf",
+          "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
+          "https://blog.lexfo.fr/Avoslocker.html",
+          "https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html",
+          "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
+          "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners",
+          "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
+          "https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/",
+          "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
+          "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
+          "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+          "https://www.ic3.gov/Media/News/2022/220318.pdf",
+          "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+          "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker",
+          "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen",
+          "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+          "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf",
+          "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html",
+          "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+          "https://blog.talosintelligence.com/avoslocker-new-arsenal/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "ba42ab03-9d29-40c3-b3d4-c2045e47dc07",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "77ea508a-12a4-454e-9b7a-28f9f9a00821",
+      "value": "Avoslocker"
     }
   ],
-  "version": 113
+  "version": 115
 }