The FBI is warning that attackers are targeting U.S. critical infrastructure with the AvosLocker ransomware-as-a-service (RaaS). In some cases, AvosLocker actors will execute distributed denial-of-service (DDoS) attacks to put pressure on victims during negotiations, in addition to exfiltrating, encrypting and leaking their data.
AvosLocker was first spotted in late June last year by researchers who called it “a solid, yet not too fancy new ransomware family.” Researchers with Sophos later in the year noted that ransomware attacks using AvosLocker started to increase in November and December.
“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” according to the FBI in a joint advisory last week, in partnership with the Financial Crimes Enforcement Network and the Department of the Treasury.
Some ransomware affiliates use Microsoft Exchange server vulnerabilities as an intrusion vector, including the Proxy Shell vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473), in addition to CVE-2021-26855, a server-side request forgery flaw in Exchange. In other cases, AvosLocker is spread through spam email campaigns and malvertising; however, because the ransomware operates on an affiliate model, the TTPs used to carry out attacks vary.
“Intrusion vectors are likely dependent on the skillsets of the AvosLocker affiliate who infiltrated the victim’s network,” according to the FBI’s alert.
On the victim front, the ransomware actors publish exfiltrated data on a public leak site. In some cases, victims have reported receiving a phone call from AvosLocker representatives, who encourage them to go to the Tor site to negotiate, and further threaten to post stolen data online. According to the FBI, depending upon the affiliate, payments in Monero are preferred; however, they accept Bitcoin for a 10 to 25 percent premium. Some victims have reported that AvosLocker negotiators were willing to negotiate reduced ransom payments, the FBI’s alert said.
In December, the RaaS started to make “a significant effort” to disable endpoint security products on victims’ systems by rebooting infected machines in Windows Safe Mode, which is a special diagnostic configuration that disables third-party drivers and software and enables users to run diagnostic tests on the operating system. Ransomware families like Snatch, REvil and BlackMatter had previously utilized this tactic; however, researchers noted AvosLocker also modified the Safe Mode configuration so that attackers can also install and utilize the IT management tool AnyDesk even when Safe Mode is running, meaning that even if the ransomware doesn’t run for some reason, attackers can still use the tool to remotely access the targeted machine and try again manually.
In addition to AnyDesk, other indicators of compromise (IoCs) associated with AvosLocker ransomware attacks include the use of tools like Cobalt Strike, encoded PowerShell scripts, Rclone, and Winlister, according to the FBI.
Enterprises can protect themselves by implementing numerous security measures, including segmenting networks, regularly backing up data and maintaining password-protected backup copies offline, and installing and updating antivirus software. Overall, organizations should “implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud),” according to the FBI.
Adam Kujawa, security evangelist at Malwarebytes, said that AvosLocker has historically focused on critical infrastructure, as well as corporate networks.
“The big concern here is that tactics used by AvosLocker - such as utilizing DDoS attacks to pressure payment and having someone actually call the organizations, from the crime group, hoping to negotiate with the company - will be adopted (as they always do) by other ransomware and crime groups in the near future,” he said.