April 20, 2022 By Jonathan Reed 2 min read

On March 17, the FBI, the U.S. Treasury Financial Crimes Enforcement Network and the Department of the Treasury released a joint cybersecurity advisory about AvosLocker, a ransomware-as-a-service (RaaS) affiliate-based group. According to the advisory, AvosLocker has targeted victims across multiple critical infrastructure sectors, including finance, critical manufacturing and government facilities.

AvosLocker engages in what some call ‘double extortion’. These attacks begin by encrypting files and demanding a ransom to unlock the files. Then, the attackers threaten to leak the victim’s files on the darknet.

The AvosLocker leak site has posted many samples of stolen victim data. The group claims to have stolen data from targets in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China and Taiwan. If a victim does not pay the ransom, AvosLocker threatens to sell the data to unspecified third parties.

How AvosLocker ransomware works

AvosLocker ransomware starts by encrypting files on a victim’s server. The files are then renamed with the .avos extension. Next, the threat actors send ransom notes to the victims with a link directing them to an AvosLocker .onion payment site. Payments in Monero are preferred; however, Bitcoin is accepted for a 10-25% premium.

The FBI also states that AvosLocker actors may make phone calls to victims to direct them to the ransom payment site. Some victims have reported that AvosLocker threat actors are willing to negotiate reduced ransom payments.

Vulnerabilities connected with AvosLocker

Multiple reports have revealed on-premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector. Some specific vulnerabilities include Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2021-26855. The level of intrusion vector sophistication likely correlates to the skillset of the AvosLocker affiliate who started the attack.

Mitigating AvosLocker threats

To thwart AvosLocker attacks, the joint advisory offers a variety of mitigation tactics. They include:

  • Maintain multiple copies of sensitive or proprietary data and servers in physically separate, segmented and secure locations (hard drive, storage device, the cloud)
  • Implement network segmentation and maintain offline, password-protected data backups. This ensures limited disruption in case of an attack.
  • Keep copies of critical data separate from the system where the data resides
  • Install and update antivirus software on all hosts and enable real-time detection
  • Install updates and patches to operating systems, software and firmware in a timely manner and stay up to date about new updates and patches
  • Review domain controllers, servers, workstations and active directories for new or unknown user accounts
  • Audit and configure user accounts with least privilege in mind. Limit admin privilege only to those who need it and only for as long as they need it.
  • Disable unused ports
  • Consider adding an email banner to emails received from outside your group
  • Disable all hyperlinks in received emails
  • Use multi-factor authentication where possible
  • Use strong passwords, change passwords often and do not reuse passwords to network systems and accounts
  • Require admin credentials to install software
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network.
  • Focus on awareness and training about ransomware and phishing scams.

Additional resources against ransomware

The FBI also provides other resources to help fight against ransomware. These include CISA’s Stop Ransomware site and CISA’s Ransomware Guide.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today