AvosLocker, a ransomware-as-a-service menace that launched in July 2021, continues to attack US critical infrastructure, the US Federal Bureau of Investigations (FBI) has warned in an advisory.
The AvosLocker gang has targeted victims in the US within financial services, critical manufacturing, and government facilities, according to the FBI.
“AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” the FBI’s Internet Crime Center (IC3) reports.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
AvosLocker hit the ransomware scene last year, cunningly using AnyDesk remote admin software in Windows Safe Mode to bypass anti-malware software. PaloAlto Networks’ assessed that AvosLocker is a marketing-savvy operation based on “press releases” it publishes on dark web forums to threaten victims and attract affiliates.
“AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files,” Palo Alto Networks said.
The gang claims to have caused havoc at organizations in the US, the UK, the UAE, Belgium, Spain and Lebanon, with ransom demands ranging from $50,000 to $75,000.
AvosLocker’s operators prefer ransom payments made in the popular Bitcoin alternative, Monero, but also accept Bitcoin at 10% to 25% above the current US dollar price, according to the FBI. The agency also warns that, in an unusual move, the gang might even phone up victims to pressure them into doing a deal.
“In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations,” the FBI said. DDoS attacks are unfortunately readily available, cheap and powerful.
The Windows AvosLocker app is written in C++ and runs as a console application that logs actions on victims’ machines and allows the attacker to remotely enable or disable “certain features”.
It is a so-called double-extortion racket, where the attackers both steal and encrypt data. They steal data and threaten to leak the contents via a website to pressure victims into paying. The gang also started auctioning leaks to cash in on situations where a ransom negotiation failed – a product they borrowed from the notorious REvil ransomware gang.
Software tools that AvosLocker has been observed using include the Cobalt Strike pen-testing kit, encoded PowerShell, the PuTTY Secure Copy client tool “pscp.exe”, Rclone, AnyDesk, Scanner, Advanced IP Scanner, and WinLister, according to the FBI document.
The group also uses Proxy Shell bugs tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 that were disclosed in July, as well as last year’s Microsoft Exchange Server bug CVE-2021-26855. But the FBI notes that exactly how the attackers breach a target’s network depends on the skills of the AvosLocker affiliate carrying out the attack.
The FBI’s advisory is another arm of the US government’s efforts via the Department of Homeland’s US Cybersecurity and Infrastructure Security Agency (CISA) to urge all organizations to patch everything and bolster cybersecurity amid fears that Russian state-sponsored hackers will target US organizations with destructive malware because of the West’s sanctions against Russia over its invasion of Ukraine.