Another week, another warning from the U.S. government on a ransomware group that's posing a threat to data at organizations.
Three agencies, the Federal Bureau of Investigation, the U.S. Treasury, and the Financial Crimes Enforcement Network, part of the Treasury, warned about the AvosLocker ransomware-as-a-service group in a joint cybersecurity advisory last week.
While not necessarily new - the group first surfaced last summer - it has remained a consistent presence over the past several months. Lately, the group has squared its sights on U.S. critical infrastructure, including financial services, critical manufacturing, and government facilities, according to the notice.
Like other ransomware groups, including Maze, Conti, and Ryuk, it sounds like AvosLocker goes the distance to extract payment from organizations, even calling victims directly to pressure them into paying. If a victim sounds reluctant, AvosLocker representatives use scare tactics, including threatening to post the stolen data online or carrying out a distributed denial of service attacks during a negotiation to show they mean business.
In some instances, the group has been known to negotiate with victims to reduce payments. While the group prefers payment in Monero, it will accept Bitcoin for a 10-25% premium, according to the FBI.
The group appears to be exploiting Microsoft Exchange Server vulnerabilities including the Proxy Shell vulnerabilities connected to CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, in addition to CVE-2021-26855.
As AvosLocker deals in double extortion – stealing the data, then encrypting it - victims that don't pay up risk having their stolen data published on the group's leak site, a public site that’s separate from the .onion payment site it directs victims to for ransom negotiation. Victims, at least according to the leak site, including organizations from the U.S. but also Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
Defenders looking to prevent an AvosLocker attack will want to review the government's advisory for indicators of compromise (IOCs) specific to the malware and specific to the individual affiliate responsible for the intrusion. As AvosLocker is a RaaS group, affiliates often do the dirty work of breaking into victim networks, meaning that attack vectors differ depending on the affiliate.
While some ransomware groups have a short life span, it seems as if AvosLocker, which doesn't sound especially advanced, has managed to stay relevant.
Some of the first AvosLocker infections surfaced last summer, shortly after the group said it was looking for affiliates on underground forums.
Researchers at MalwareBytes blogged about the group last July and pointed out the group was advertising a "a multi-threaded ransomware written in C++" and looking for “pentesters with Active Directory network experience” and “access brokers.” The group must have enough affiliates - and has encountered enough success - to carry on.
Defenders should also follow the list of mitigations the FBI and U.S. Treasury share in the advisory. The instructions are similar to those the agencies provided following a rash of RagnarLocker ransomware infections earlier this month and include implementing a data recovery plan, network segmentation, using multifactor authentication, and installing updates for software and firmware as soon as they're available.
