Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Ransomware Alert: AvosLocker Hits Critical Infrastructure

FBI Warns: Operation's Affiliates Employ a Variety of Tactics to Hit Targets
Ransomware Alert: AvosLocker Hits Critical Infrastructure

The ransomware-as-a-service operation AvosLocker has been amassing "victims across multiple critical infrastructure sectors in the United States," the FBI warns.

See Also: Double-Click on Risk-Based Cybersecurity

Known victims hail from organizations in such sectors as financial services, manufacturing and government facilities, the FBI, together with the Treasury Department and its Financial Crimes Enforcement Network bureau, aka FinCEN, warn in a cybersecurity advisory.

The alert includes known indicators of compromise and tactics employed the group and essential defenses for any organization that might be targeted by ransomware.

The AvosLocker operation is a ransomware-as-a-service program, meaning the operators develop the crypto-locking malware and recruit affiliates who use the malicious code to infect victims. As part of the operation, "AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets," the FBI says.

In a RaaS business model, an affiliate will typically receive about 70% or 80% of every ransom paid, with the rest going to the operators. This approach has helped drive increased revenue for many ransomware operations, in part because it can directly reward the different specialists involved, based on their actual success.

AvosLocker ransom note, circa December 2021 (Source: FBI)

Multiple Affiliates Apply Their Skills

What does an AvosLocker attack look like? The tactics, techniques and procedures used by the group often vary, due to the group's different affiliates bringing their own experience, proclivities and skill sets to bear, the FBI says.

But multiple victims have traced AvosLocker outbreaks to attackers having first exploited known Microsoft Exchange email server vulnerabilities to gain access to their network, including via the serious ProxyShell vulnerabilities that came to light in April 2021 - which Microsoft patched last May and July.

Other TTPs tied to prior AvosLocker attacks have included, among others, the use of Cobalt Strike adversary-simulation software, encoded PowerShell scripts, the PuTTY secure copy client - aka PSCP - used to swap encrypted files between a server and PC, the Rclone command-line tool for managing cloud environments, and AnyDesk remote desktop application software.

First Targeted Smaller Firms

AvosLocker was first spotted in June 2021, when a researcher reported that the group appeared to be targeting smaller entities, including law firms, plus freight, logistics and real estate firms, across the U.S., the U.K. and parts of Europe, and only accepting monero for ransom payments.

Shortly thereafter, the ransomware operation began heavily advertising for affiliates. "AvosLocker actively recruited affiliates on the XSS, Exploit, and RAMP forums and published a separate page regarding their partnership program on their blog," Israeli threat intelligence firm Kela says in a new report tracing 2021 ransomware trends.

Affiliate recruitment advertisement posted by the AvosLocker ransomware-as-a-service operation to a darknet forum in July 2021 (Source: Malwarebytes)

"Moreover, they also showed interest in buying network accesses on forums," Kela says. "For instance, in December 2021, they were interested in buying access to companies in the U.S. and Canada with revenue over $50 million, claiming that they were ready to pay a share of a ransom."

Expanding List of Victims

Early victims of AvosLocker included Moorfields Eye Hospitals UAE, which is a branch of the British National Health Service's Moorfields Eye Hospital Foundation Trust, from which the group claimed to have stolen more than 60GB of data.

Last August, Doel Santos and Ruchna Nigam of Palo Alto Networks' Unit 42 threat research group reported that AvosLocker's initial ransom demand to a victim typically ranged from $50,000 to $75,000. "Like many of its competitors, AvosLocker offers technical support to help victims recover after they've been attacked with encryption software that the group claims is 'fail-proof,' has low detection rates and is capable of handling large files," they said in a blog post.

Ransomware incident response firm Coveware says that in Q4 of 2021, based on investigations it conducted or tracked, AvosLocker controlled about 3% of the ransomware market.

In November 2021, AvosLocker affiliates began getting new ransomware variants, including one for Windows, dubbed Avos2, as well as a Linux variant dubbed Avoslinux, Kela reports.

Partially redacted information pertaining to victims posted to AvosLocker data leak site (Source: Kela)

The FBI says since AvosLocker launched, its leak site has listed victims not just from the U.S. and U.K., but also Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey and the United Arab Emirates.

Data Leak Site Updates

When AvosLocker was first spotted, its data leak site reports looked like the DoppelPaymer ransomware operation's data leak site, Kela says. But AvosLocker redesigned its data leak site last September, "adding a new auction feature allowing buyers to buy data of companies that refuse to pay a ransom," Kela says, and by the end of the year it had listed more than 55 victims on the site.

First version of AvosLocker's data leak site

But this would only represent a subset of victims who didn't pay quickly.

Ransomware groups that use data leak sites typically only list victims that haven't paid a ransom, to try and pressure them into purchasing not just a decryptor but also the removal of their name from the victim list. If that doesn't succeed, the criminals will typically leak extracts of any stolen data as an inducement to pay. As a final step for nonpayers, the criminals will typically dump all stolen data to try and send a message to future victims. That's because, for attackers, the best result of any attack is a victim who pays quickly and quietly, not least because it makes the group's activities tougher for law enforcement agencies to track.

The FBI says AvosLocker operators appear to handle all negotiations with victims. "In some cases, AvosLocker victims receive phone calls from an AvosLocker representative," the FBI's alert says. "The caller encourages the victim to go to the .onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service attacks during negotiations."

Blaming Affiliates for Bad Hits

AvosLocker hasn't been immune to the missteps experienced by other ransomware operations, such as DarkSide and also REvil, aka Sodinokibi. Those groups infected critical-sector organizations with ransomware, leading Western governments to begin attempting to actively disrupt the groups.

In November 2021, AvosLocker hit an unnamed U.S. police department and apparently quickly attempted to backtrack. The incident came to light after the group's apology was spotted last December by the security researcher who goes by @pancak3lullz.

Apology from AvosLocker issued in November 2021, after it crypto-locked a U.S. police department (Source: @pancak3lullz)

Disingenuously, AvosLocker blamed an affiliate for the attack.

At the time, an AvosLocker representative told Bleeping Computer that it doesn't prevent affiliates from hitting any type of target, although it claimed that it would seek to avoid attacking government or healthcare entities. It further claimed "that sometimes an affiliate will lock a network without having us review it first."

Arguably, that was a cynical take, at best, given that the ransomware-as-a-service business model is built on empowering affiliates to take down any and all targets in pursuit of the biggest possible ransom payoff. Indeed, the only restriction apparently imposed by the group - and a potential clue as to where it's based - is that affiliates are prohibited from attacking anyone in Russia or another country that used to be part of the Soviet Union.

AvosLocker advertisement for partners or affiliates, circa November 2021 (Source: Kela)

Essential Defenses

In terms of defending against the ransomware, the FBI's alert offers the usual recommendations, including the need for organizations to "implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location."

Among other recommendations, the FBI advises always using anti-malware software on every system and keeping it and all other software fully updated and patched, locking down Active Directory, always enforcing the concept of least privileged access, maintaining offline backups and using "multifactor authentication where possible."

Like many other ransomware operations, AvosLocker affiliates often seek to gain domain administrator-level control of a victim's Active Directory environment, Kela says. The group has actively advertised for this since September 2021 via the Russian-language RAMP cybercrime forum, "claiming they prefer domain admin rights" for anyone who wants to give them network access to an organization, in exchange for either a set fee or a share of any resulting ransom payment, Kela says.

The FBI urges all ransomware victims to report the attack to a local FBI field office in the U.S. or other law enforcement agency in other countries. For U.S. victims, it says, the Cybersecurity Infrastructure and Security Agency may be able to provide incident response resources or other technical support.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.