AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

Cyber Security Threat Summary:
On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments. The group first emerged on the scene in June 2021. AvosLocker operates using a unique Ransomware-as-a-Service (RaaS) approach, providing ransomware tools and infrastructure to other cyber threat actors in exchange for a share of the ransom payments they collect.

Like many of their contemporaries in the world of ransomware, AvosLocker employs a strategy known as "double extortion." This means that, in addition to encrypting a victim's data and demanding a ransom, they also seize sensitive information and threaten to release it on their designated "leak site" if the ransom is not paid. This dual-pronged attack method increases the pressure on victims, especially those with valuable or confidential data at stake.

AvosLocker is notorious for targeting high-profile victims and requesting substantial ransom amounts. Notably, in recent times, they have set their sights on critical infrastructure in various sectors across the United States, Canada, the United Kingdom, and Spain.

Security Officer Comments:
AvosLocker often uses common initial access techniques such as spear-phishing emails, exploiting vulnerable public-facing applications, or using compromised Remote Desktop Protocol (RDP) credentials. After initial access, adversaries upload custom webshells to establish persistence in the victim's network. Using known credential dumping tools, AvosLocker threat actors steal credentials from the compromised host and use them for lateral movement and privilege escalation. Prior to encryption, attackers exfiltrate the victim's sensitive files to an adversary-controlled command and control (C2) server. In the final step, AvosLocker reboots the infected machine in Safe Mode with Networking and encrypts the victim's sensitive files.

CISA previously released another cybersecurity on AvosLocker ransomware in March 2022. Since then, the threat actors created new AvosLocker variants and added new capabilities to their arsenal. CISA recommends organizations continuously validate their security controls against the AvosLocker ransomware variants and their evolving threat behaviors.

MITRE Attack: T1078 - Valid Accounts AvosLocker ransomware operators obtain compromised credentials from Initial Access Brokers (IABs) and criminal forums/marketplaces. These valid accounts grant adversaries initial access to target networks through methods like RDP or VPN.

T1566 - Phishing AvosLocker threat actors employ spam email campaigns as the means to deliver their ransomware payload to chosen targets.

T1133 - External Remote Services The AvosLocker group utilizes external remote administration tools like AnyDesk, PuTTy, Atera Agent, Splashtop Streamer, Tactical RMM, and PDQ Deploy to establish initial access. Additionally, AvosLocker threat actors are known to exploit the Zoho ManageEngine CVE-2021-40539 vulnerability as an initial access vector.

T1059 - Command and Scripting Interpreter Adversaries utilize custom batch files and PowerShell scripts for activities such as privilege escalation, lateral movement, and defense evasion. These scripts are named Love.bat, lock.bat, update.bat, and AVO.ps1.

T1047 - Windows Management Instrumentation AvosLocker makes use of legitimate Windows tools such as PsExec and nltest to interact with Windows Management Instrumentation and execute commands.

T1505.003 - Server Software Component: Web Shell Upon gaining initial access, AvosLocker operators upload custom webshells to establish persistence within the compromised network.

T1562.009 - Impair Defenses: Safe Mode Boot Before initiating the ransomware payload, AvosLocker compels infected Windows hosts to reboot in Safe Mode. Safe Mode disables various endpoint protections, making it less likely for ransomware to be detected or prevented.

T1555 - Credentials from Password Stores AvosLocker threat actors leverage known public credential dumping tools like Mimikatz and LaZange to extract credentials from password storage mechanisms.

T1572 - Protocol Tunneling AvosLocker employs open-source tools such as Ligolo and Chisel to establish secure communication between a compromised network and an adversary-controlled C2 server. This encrypted channel allows AvosLocker threat actors to transfer malicious tools and steal sensitive data without detection, bypassing egress filtering.

T1486 - Data Encrypted for Impact AvosLocker ransomware deploys a hybrid encryption methodology, combining AES-256-CBC and RSA to encrypt victims' files. Depending on the version, encrypted files are marked with the .avos or .avos2 extension.

T1490 - Inhibit System Recovery AvosLocker operators delete all volume shadow copies on infected hosts to prevent victims from recovering their files.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.