Key industries warned over rising threat actor

Authorities in the US have warned critical infrastructure companies to be on the lookout for a ransomware group that has been gaining ground across the world since its debut last year.

“AvosLocker is a ransomware affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States,” said the Joint Cybersecurity Advisory report, co-authored by the FBI, financial crimes regulator FinCEN, and the Treasury.

Attacks by the group include target organizations in the financial, manufacturing, and government sectors and are not limited to the US – installations in countries as far afield as Saudi Arabia, Syria, Germany, the UK, Taiwan, and China have also been attacked.

AvosLocker threat actors typically exfiltrate data and encrypt it using the “.avos” extension before demanding money in cryptocurrency to return stolen information. Victims are usually extorted in Monero, with Bitcoin payments being accepted only at a 10-25% mark-up – another sign that cybercriminals are increasingly turning away from the pioneer digital currency.

The report added: “AvosLocker ransomware is a multi-threaded Windows-executable written in C++ that runs as a console application and shows a log of actions performed on victim systems.”

The ransomware program maps the files and drives of target companies before encrypting data and issuing a ransom note titled "GET_YOUR_FILES_BACK.txt" in every directory.

Victims are then directed to “an onion site accessible via a Tor browser, where the victim is prompted to enter an ID provided to them in the ransom note.”

Cold-hearted calling

But in other cases, victims had received phone calls from an AvosLocker gang member, issuing them threats if they did not comply with its demands.

“The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online,” said the report. “In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.”

Indicators of compromise in AvosLocker attacks highlighted by the report include tampering with Windows Registry ‘run’ keys and the use of scheduled tasks.

“Multiple victims have reported Microsoft Exchange Server vulnerabilities as the likely intrusion vector [of attack],” added the report, while other targets had named Proxy Shell weaknesses associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, and CVE-2021-26855 as areas for concern.

The report’s authors urge companies to keep multiple copies of sensitive and valuable data in a secure separate location to mitigate any future attacks by AvosLocker.

It’s not clear whether the ransomware group is linked to the Kremlin, but according to cyber threat intelligence researcher Unit 42, a user by the name of “Avos” was seen trying to recruit members on Russian forum XSS last year.