AvosLocker group is targeting US critical infrastructure, FBI says

Ransomware affiliates threaten to publish stolen data or launch DDoS attacks if victims don’t pay

A ransomware-as-a-service (RaaS) group that has been around since last summer is targeting critical infrastructure in the United States, according to federal law enforcement agencies.

Targets include assets used in the financial services, manufacturing and government sectors, the Feds said.

The AvosLocker ransomware has targeted multiple victims across the country, according to the joint advisory [PDF] issued late last week by the FBI, Treasury Department and Financial Crimes Enforcement Network (FinCEN).

The advisory outlines various indicators of compromise (IoCs) that can help companies determine whether they have become AvosLocker victims, as well as a list of mitigation steps they can take. These range from developing a data recovery plan and implementing network segmentation to regularly backing up data, installing and updating antivirus software and installing updates and patches on operating systems.

making it rain money

When criminals go corporate: Ransomware-as-a-service, bulk discounts and more


Determining IoCs is a challenge because of the nature of RaaS – in which malware developers essentially lease out their malicious code to other threat actors – and how AvosLocker operates.

"AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets," the federal advisory says.

"As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion."

AvosLocker came to the attention of threat intelligence groups last year. Palo Alto Networks' Unit 42 researchers in July 2021 wrote about an advertisement they saw on Dread, which they described as a "Reddit-like dark web discussion forum," for a new RaaS called AvosLocker, outlining features of the ransomware and letting affiliates who leverage the malware know that AvosLocker operators would handle the negotiation and extortion practices.

The group behind AvosLocker – dubbed "Avos" – also was seen trying to recruit people on the Russian forum XSS.

Initially the ransomware targeted Windows-based machines, but Ghanshyam More, principal researcher at cybersecurity firm Qualys, wrote in a blog post earlier this month that a new variant of AvosLocker was seen attacking Linux systems.

"Recently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines," More wrote. "This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty."

In outlining the technical details of this AvosLocker group, the US agencies noted that the ransomware encrypts files on a victim's server and renames then with an ".avos" extension, puts ransom notes on the server and offers a link to an AvosLocker .onion payment site. Some affiliates prefer payments in the Monero cryptocurrency, though Bitcoin is accepted for a 10 percent to 25 percent premiums.

In addition, some attackers are calling victims to direct them to the payment site, where they can negotiate a payment. Some ransomware groups offer to negotiate with victims. According to cybersecurity firm Trend Micro, they include not only AvosLocker but also Conti, Lockbit 2.0, Hive and HelloKitty.

"Each of these ransomware groups uses unique victim identifiers to offer negotiation and 'support' while the victim tries to recover their data," Trend Micro researchers wrote in a blog post last year.

RaaS threat groups had been using email to communicate with victims. However, they are migrating to using unique victim identifiers for each victim organization, using these identifiers as part of the ransom note and forcing the ransom file itself to be uploaded to the group's Tor or cleartext website to enable the victim to access a specific chat site, the researchers said.

According to the federal advisory, in AvosLocker's case, threat actors threaten to publish the victim's exfiltrated data to a public leak sites if they don't negotiate a ransom or pay it. The public leak site lists victims of the ransomware as well as a sample of data allegedly stolen from the victim's network, giving organizations further proof of compromise.

The threats don't always stop there. Some AvosLocker affiliates call victims, threatening not only to publish the data if the ransom isn't paid but also to executive distributed denial-of-service (DDoS) attacks against them.

AvosLocker's leak site lists a broad range of countries of alleged victims, including the United States, Canada, Germany, Spain, Belgium, the UK, Syria, Saudi Arabia and Taiwan.

Critical infrastructure is becoming an increasingly popular target for ransomware gangs. In two high-profile cases last year, gas supplier Colonial Pipeline was attacked by the DarkSide group – paying the $4.4m ransom – while global meat supplier JBS Foods paid $11m to REvil.

The FBI earlier this month said in an alert that the Ragnar Locker ransomware threat group has attacked at least 52 critical infrastructure organizations in the United States across the manufacturing, energy, financial services, government and IT sectors. ®

Other stories you might like

  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022