On March 17, the FBI, the U.S. Treasury Financial Crimes Enforcement Network and the Department of the Treasury released a joint cybersecurity advisory about AvosLocker, a ransomware-as-a-service (RaaS) affiliate-based group. According to the advisory, AvosLocker has targeted victims across multiple critical infrastructure sectors, including finance, critical manufacturing and government facilities.

AvosLocker engages in what some call ‘double extortion’. These attacks begin by encrypting files and demanding a ransom to unlock the files. Then, the attackers threaten to leak the victim’s files on the darknet.

The AvosLocker leak site has posted many samples of stolen victim data. The group claims to have stolen data from targets in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China and Taiwan. If a victim does not pay the ransom, AvosLocker threatens to sell the data to unspecified third parties.

How AvosLocker Ransomware Works

AvosLocker ransomware starts by encrypting files on a victim’s server. The files are then renamed with the .avos extension. Next, the threat actors send ransom notes to the victims with a link directing them to an AvosLocker .onion payment site. Payments in Monero are preferred; however, Bitcoin is accepted for a 10-25% premium.

The FBI also states that AvosLocker actors may make phone calls to victims to direct them to the ransom payment site. Some victims have reported that AvosLocker threat actors are willing to negotiate reduced ransom payments.

Vulnerabilities Connected With AvosLocker

Multiple reports have revealed on-premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector. Some specific vulnerabilities include Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2021-26855. The level of intrusion vector sophistication likely correlates to the skillset of the AvosLocker affiliate who started the attack.

Mitigating AvosLocker Threats

To thwart AvosLocker attacks, the joint advisory offers a variety of mitigation tactics. They include:

  • Maintain multiple copies of sensitive or proprietary data and servers in physically separate, segmented and secure locations (hard drive, storage device, the cloud)
  • Implement network segmentation and maintain offline, password-protected data backups. This ensures limited disruption in case of an attack.
  • Keep copies of critical data separate from the system where the data resides
  • Install and update antivirus software on all hosts and enable real-time detection
  • Install updates and patches to operating systems, software and firmware in a timely manner and stay up to date about new updates and patches
  • Review domain controllers, servers, workstations and active directories for new or unknown user accounts
  • Audit and configure user accounts with least privilege in mind. Limit admin privilege only to those who need it and only for as long as they need it.
  • Disable unused ports
  • Consider adding an email banner to emails received from outside your group
  • Disable all hyperlinks in received emails
  • Use multi-factor authentication where possible
  • Use strong passwords, change passwords often and do not reuse passwords to network systems and accounts
  • Require admin credentials to install software
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network.
  • Focus on awareness and training about ransomware and phishing scams.

Additional Resources Against Ransomware

The FBI also provides other resources to help fight against ransomware. These include CISA’s Stop Ransomware site and CISA’s Ransomware Guide.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…