April 20, 2022 By Jonathan Reed 2 min read

On March 17, the FBI, the U.S. Treasury Financial Crimes Enforcement Network and the Department of the Treasury released a joint cybersecurity advisory about AvosLocker, a ransomware-as-a-service (RaaS) affiliate-based group. According to the advisory, AvosLocker has targeted victims across multiple critical infrastructure sectors, including finance, critical manufacturing and government facilities.

AvosLocker engages in what some call ‘double extortion’. These attacks begin by encrypting files and demanding a ransom to unlock the files. Then, the attackers threaten to leak the victim’s files on the darknet.

The AvosLocker leak site has posted many samples of stolen victim data. The group claims to have stolen data from targets in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China and Taiwan. If a victim does not pay the ransom, AvosLocker threatens to sell the data to unspecified third parties.

How AvosLocker ransomware works

AvosLocker ransomware starts by encrypting files on a victim’s server. The files are then renamed with the .avos extension. Next, the threat actors send ransom notes to the victims with a link directing them to an AvosLocker .onion payment site. Payments in Monero are preferred; however, Bitcoin is accepted for a 10-25% premium.

The FBI also states that AvosLocker actors may make phone calls to victims to direct them to the ransom payment site. Some victims have reported that AvosLocker threat actors are willing to negotiate reduced ransom payments.

Vulnerabilities connected with AvosLocker

Multiple reports have revealed on-premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector. Some specific vulnerabilities include Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2021-26855. The level of intrusion vector sophistication likely correlates to the skillset of the AvosLocker affiliate who started the attack.

Mitigating AvosLocker threats

To thwart AvosLocker attacks, the joint advisory offers a variety of mitigation tactics. They include:

  • Maintain multiple copies of sensitive or proprietary data and servers in physically separate, segmented and secure locations (hard drive, storage device, the cloud)
  • Implement network segmentation and maintain offline, password-protected data backups. This ensures limited disruption in case of an attack.
  • Keep copies of critical data separate from the system where the data resides
  • Install and update antivirus software on all hosts and enable real-time detection
  • Install updates and patches to operating systems, software and firmware in a timely manner and stay up to date about new updates and patches
  • Review domain controllers, servers, workstations and active directories for new or unknown user accounts
  • Audit and configure user accounts with least privilege in mind. Limit admin privilege only to those who need it and only for as long as they need it.
  • Disable unused ports
  • Consider adding an email banner to emails received from outside your group
  • Disable all hyperlinks in received emails
  • Use multi-factor authentication where possible
  • Use strong passwords, change passwords often and do not reuse passwords to network systems and accounts
  • Require admin credentials to install software
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network.
  • Focus on awareness and training about ransomware and phishing scams.

Additional resources against ransomware

The FBI also provides other resources to help fight against ransomware. These include CISA’s Stop Ransomware site and CISA’s Ransomware Guide.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today