Feds: Beware AvosLocker Ransomware Attacks on Critical InfrastructureFeds: Beware AvosLocker Ransomware Attacks on Critical Infrastructure
CISA and FBI warn the RaaS provider's affiliates are striking critical industries, with more attacks expected to come from additional ransomware groups in the months ahead.
October 13, 2023
US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.
In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.
The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.
What You Need to Know About AvosLocker Ransomware Group
AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.
It's perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.
The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.
The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.
Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.
"It's all kind of the same, to be honest, as what we've been seeing for the past year or so," Ryan Bell, threat intelligence manager at Corvus, says of AvosLocker and other RaaS groups' TTPs. "But they're becoming more deadly efficient. Through time they're getting better, quicker, faster."
What Companies Can Do to Protect Against Ransomware
To protect against AvosLocker and its ilk, CISA provided a long list of ways critical infrastructure providers can protect themselves, including implementing standard cybersecurity best practices — like network segmentation, multifactor authentication, and recovery plans. CISA added more specific restrictions, such as limiting or disabling remote desktop services, file and printer sharing services, and command-line and scripting activities and permissions.
Organizations would be smart to take action now, as ransomware groups will only grow more prolific in the months to come.
"Typically, ransomware groups take a little bit of a summer vacation. We forget that they are people, too," Bell says, citing lower-than-average ransomware numbers in recent months. September's 5.12% bump in ransomware cyberattacks, he says, is the canary in the coal mine.
"They will increase attacks through the fourth quarter. That's usually the highest we see throughout the year, as in both 2022 and 2021, and we're seeing that holds true even now," he warns. "Things are definitely climbing up all across the board."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks