On March 17, the FBI, the U.S. Treasury Financial Crimes Enforcement Network and the Department of the Treasury released a joint cybersecurity advisory about AvosLocker, a ransomware-as-a-service (RaaS) affiliate-based group. According to the advisory, AvosLocker has targeted victims across multiple critical infrastructure sectors, including finance, critical manufacturing and government facilities.
AvosLocker engages in what some call ‘double extortion’. These attacks begin by encrypting files and demanding a ransom to unlock the files. Then, the attackers threaten to leak the victim’s files on the darknet.
The AvosLocker leak site has posted many samples of stolen victim data. The group claims to have stolen data from targets in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China and Taiwan. If a victim does not pay the ransom, AvosLocker threatens to sell the data to unspecified third parties.
How AvosLocker ransomware works
AvosLocker ransomware starts by encrypting files on a victim’s server. The files are then renamed with the .avos extension. Next, the threat actors send ransom notes to the victims with a link directing them to an AvosLocker .onion payment site. Payments in Monero are preferred; however, Bitcoin is accepted for a 10-25% premium.
The FBI also states that AvosLocker actors may make phone calls to victims to direct them to the ransom payment site. Some victims have reported that AvosLocker threat actors are willing to negotiate reduced ransom payments.
Vulnerabilities connected with AvosLocker
Multiple reports have revealed on-premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector. Some specific vulnerabilities include Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2021-26855. The level of intrusion vector sophistication likely correlates to the skillset of the AvosLocker affiliate who started the attack.
Mitigating AvosLocker threats
To thwart AvosLocker attacks, the joint advisory offers a variety of mitigation tactics. They include:
- Maintain multiple copies of sensitive or proprietary data and servers in physically separate, segmented and secure locations (hard drive, storage device, the cloud)
- Implement network segmentation and maintain offline, password-protected data backups. This ensures limited disruption in case of an attack.
- Keep copies of critical data separate from the system where the data resides
- Install and update antivirus software on all hosts and enable real-time detection
- Install updates and patches to operating systems, software and firmware in a timely manner and stay up to date about new updates and patches
- Review domain controllers, servers, workstations and active directories for new or unknown user accounts
- Audit and configure user accounts with least privilege in mind. Limit admin privilege only to those who need it and only for as long as they need it.
- Disable unused ports
- Consider adding an email banner to emails received from outside your group
- Disable all hyperlinks in received emails
- Use multi-factor authentication where possible
- Use strong passwords, change passwords often and do not reuse passwords to network systems and accounts
- Require admin credentials to install software
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network.
- Focus on awareness and training about ransomware and phishing scams.
Additional resources against ransomware
The FBI also provides other resources to help fight against ransomware. These include CISA’s Stop Ransomware site and CISA’s Ransomware Guide.