The FBI and US Treasury are advising organizations to beware of a specific strain of ransomware aimed at critical infrastructure sectors in the United States. Published last Thursday, a joint cybersecurity advisory issued by the two agencies warns of a Ransomware as a Service (RaaS) affiliate-based group known as AvosLocker.
Victims include but aren’t limited to financial services, manufacturing and government agencies. The group claims it has targeted organizations not just in the US but in the UK, Canada, China, Taiwan, Germany, Spain, Saudi Arabia and other nations.
SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)
This particular ransomware encrypts files on a victim’s server, renaming them with an extension of .avos, avos2 or AvosLinux. Named GET_YOUR_FILES_BACK.txt, the ransom note tells victimized organizations that their files and confidential documents have been encrypted and that they must pay for a decryption key and application. Victims are then instructed to browse to an AvosLocker .onion payment site to make the ransom payment in Monero (or Bitcoin at a 10%-25% premium).
Members of the ransomware group have actually called victims by phone to direct them to the payment site and even negotiate to reduce the payment, according to the FBI. During these negotiations, the cybercriminals will sometimes threaten to launch distributed denial-of-service (DDoS) attacks. Organizations that fail to pay the ransom are warned that their confidential data will be leaked through the group’s press release blog.
AvosLocker ransomware attacks exhibit specific indicators of compromise (IoC) as a clue that an organization has been infected. Such IoCs include the modification of Windows Registry “Run” keys and the use of scheduled tasks. The advisory also listed the following tools associated with these attacks:
- Cobalt Strike
- Encoded PowerShell scripts (a publicly available tool)
- PuTTY Secure Copy client tool “pscp.exe”
- Rclone
- AnyDesk
- Advanced IP Scanner
- WinLister
Further, several victims have revealed vulnerabilities in on-premises Microsoft Exchange Server systems as one avenue for intrusion. Also targeted have been Proxy Shell vulnerabilities associated with CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473, as well as CVE-2021-26855.
“This type of advisory tends to be a reflection of two things: the rise in the number of attacks perpetrated by a group and the availability of consistent indicators of compromise or an understanding of the modus operandi of the group,” said Vectra AI CTO Oliver Tavakoli. “The AvosLocker ransomware is a pretty standard variation of the well-worn recipe for ransomware package — find files of interest, exfiltrate them, encrypt the ones in the target environment, drop a ransom note, etc.”
SEE: Security Awareness and Training policy (TechRepublic Premium)
To help organizations better protect themselves against an AvosLocker ransomware attack, the advisory offers the following tips:
- Set up a recovery plan to store multiple copies of sensitive or proprietary data in a secure and segmented location separate from your main network.
- Segment your network and keep offline backups of your data to minimize any interruption to your business in the event of an attack.
- Regularly back up your data and password-protect all offline backups. Make sure that any backups of your critical data can’t be altered or removed.
- Regularly update antivirus and security software on all hosts and implement real-time detection.
- Update your operating systems, software and firmware with the latest security patches as soon as they’re available.
- Review your domain controllers, servers, workstations and active directories for any new or unfamiliar accounts.
- Do not give all users administrative privileges. Set up your access controls with least privilege in mind. Audit any user accounts that have administrative privileges.
- Disable any unused ports.
- Consider displaying a banner for any email received outside your organization.
- Disable hyperlinks in received emails.
- Use multifactor authentication whenever and wherever possible.
- Use strong and secure passwords for your network systems and accounts and regularly change them.
- Require administrator credentials to install software.
- Use secure networks and VPNs and avoid the use of public Wi-Fi networks.
- Regularly offer users cybersecurity training with an emphasis on emerging risks and vulnerabilities, such as ransomware and phishing attacks.