AvosLocker group is targeting US critical infrastructure, FBI says

A ransomware-as-a-service (RaaS) group that has been around since last summer is targeting critical infrastructure in the United States, according to federal law enforcement agencies.

Targets include assets used in the financial services, manufacturing and government sectors, the Feds said.

The AvosLocker ransomware has targeted multiple victims across the country, according to the joint advisory [PDF] issued late last week by the FBI, Treasury Department and Financial Crimes Enforcement Network (FinCEN).

The advisory outlines various indicators of compromise (IoCs) that can help companies determine whether they have become AvosLocker victims, as well as a list of mitigation steps they can take. These range from developing a data recovery plan and implementing network segmentation to regularly backing up data, installing and updating antivirus software and installing updates and patches on operating systems.

Determining IoCs is a challenge because of the nature of RaaS – in which malware developers essentially lease out their malicious code to other threat actors – and how AvosLocker operates.

"AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets," the federal advisory says.

"As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion."

AvosLocker came to the attention of threat intelligence groups last year. Palo Alto Networks' Unit 42 researchers in July 2021 wrote about an advertisement they saw on Dread, which they described as a "Reddit-like dark web discussion forum," for a new RaaS called AvosLocker, outlining features of the ransomware and letting affiliates who leverage the malware know that AvosLocker operators would handle the negotiation and extortion practices.

The group behind AvosLocker – dubbed "Avos" – also was seen trying to recruit people on the Russian forum XSS.

Initially the ransomware targeted Windows-based machines, but Ghanshyam More, principal researcher at cybersecurity firm Qualys, wrote in a blog post earlier this month that a new variant of AvosLocker was seen attacking Linux systems.

"Recently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines," More wrote. "This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty."

In outlining the technical details of this AvosLocker group, the US agencies noted that the ransomware encrypts files on a victim's server and renames then with an ".avos" extension, puts ransom notes on the server and offers a link to an AvosLocker .onion payment site. Some affiliates prefer payments in the Monero cryptocurrency, though Bitcoin is accepted for a 10 percent to 25 percent premiums.

In addition, some attackers are calling victims to direct them to the payment site, where they can negotiate a payment. Some ransomware groups offer to negotiate with victims. According to cybersecurity firm Trend Micro, they include not only AvosLocker but also Conti, Lockbit 2.0, Hive and HelloKitty.

"Each of these ransomware groups uses unique victim identifiers to offer negotiation and 'support' while the victim tries to recover their data," Trend Micro researchers wrote in a blog post last year.

RaaS threat groups had been using email to communicate with victims. However, they are migrating to using unique victim identifiers for each victim organization, using these identifiers as part of the ransom note and forcing the ransom file itself to be uploaded to the group's Tor or cleartext website to enable the victim to access a specific chat site, the researchers said.

According to the federal advisory, in AvosLocker's case, threat actors threaten to publish the victim's exfiltrated data to a public leak sites if they don't negotiate a ransom or pay it. The public leak site lists victims of the ransomware as well as a sample of data allegedly stolen from the victim's network, giving organizations further proof of compromise.

The threats don't always stop there. Some AvosLocker affiliates call victims, threatening not only to publish the data if the ransom isn't paid but also to executive distributed denial-of-service (DDoS) attacks against them.

• LokiLocker ransomware family spotted with built-in wiper
• BlackMatter ransomware gang says it's disbanding – again – after Ukraine arrests
• Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims
• Conti ransomware gang's source code leaked

AvosLocker's leak site lists a broad range of countries of alleged victims, including the United States, Canada, Germany, Spain, Belgium, the UK, Syria, Saudi Arabia and Taiwan.

Critical infrastructure is becoming an increasingly popular target for ransomware gangs. In two high-profile cases last year, gas supplier Colonial Pipeline was attacked by the DarkSide group – paying the $4.4m ransom – while global meat supplier JBS Foods paid $11m to REvil.

The FBI earlier this month said in an alert that the Ragnar Locker ransomware threat group has attacked at least 52 critical infrastructure organizations in the United States across the manufacturing, energy, financial services, government and IT sectors. ®