AvosLocker ransomware is being used in attacks on U.S. critical infrastructure organizations, according to a recent joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN).
AvosLocker is a relatively new ransomware group that first appeared in June 2021. Initially, the ransomware was used in attacks on Windows systems; however, a new version of the ransomware has been developed to target Linux systems.
AvosLocker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks for a cut of the profits generated from ransom payments. As is the case with many other RaaS operations, the gang exfiltrates sensitive data prior to file encryption and then threatens to release the stolen data publicly on its leak site if the ransom is not paid. Initially, a sample of data is published to the leak site if payment is not made. The gang then allows individuals to purchase the stolen data.
The attackers add the .avos extension to encrypted files and demand payment in Monero, or in Bitcoin at a 10%-15% premium. The ransomware gang is known to negotiate payments with victims via the telephone, and in some cases, the ransom payment has been reduced during negotiations. The group has been known to issue other threats to victims to encourage payment, such as telling them they will be subjected to distributed denial-of-service (DDoS) attacks if they do not make payment. The group has targeted organizations in several countries, including the United States, United Kingdom, Spain, Belgium, Turkey, Syria, Saudi Arabia, Canada, China, and Taiwan.
The group is known to gain initial access to victims’ networks via spam/phishing emails; although the gang is also believed to exploit unpatched vulnerabilities such as on-premises Microsoft Exchange Server vulnerabilities and the Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473. As this is a RaaS operation, the attack vectors used are likely to vary from affiliate to affiliate and depend on their skillsets. While businesses have been targeted in a range of industry sectors, critical infrastructure organizations in Financial Services, Critical Manufacturing, and Government Facilities have been attacked.
The cybersecurity advisory lists several mitigations that can reduce the risk of a successful attack and limited the harm that can be caused. These include adopting robust backup strategies, patching promptly, segmenting networks, conducting reviews of controllers, servers, workstations, and active directories for new accounts, disabling unused ports, disabling hyperlinks in emails, implementing multi-factor authentication and strong password policies, and avoiding using public Wi-Fi networks unless a VPN is used.
It is also important not to neglect the human element of cybersecurity. Regular security awareness training should be provided to the workforce, and training on information security principles and techniques and emerging cybersecurity risks and vulnerabilities should be included.