The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued a cybersecurity advisory linking the AvosLocker ransomware gang to attacks on critical infrastructure sectors in the U.S. These attacks were detected as recently as May 2023.
AvosLocker Ransomware Overview:
AvosLocker, a Ransomware-as-a-Service (RaaS) operation, emerged in mid-2021 and employs sophisticated techniques.
It targets Windows, Linux, and VMware ESXi environments.
The ransomware is designed to evade antivirus protection measures.
Attack Techniques:
Legitimate Software and Tools: AvosLocker affiliates exploit legitimate software and open-source remote administration tools to compromise networks.
Exfiltration-Based Data Extortion: The attackers utilize threats of leaking or publishing stolen data to extort victims.
Living-Off-The-Land (LotL) Tactics: AvosLocker operations leave minimal traces for attribution by relying on open-source tools.
Credential Theft: Tools like Lazagne and Mimikatz are used for stealing credentials.
Custom Web Shells: Affiliates upload custom web shells to enable network access.
Command-and-Control (C2): AvosLocker utilizes Cobalt Strike and Sliver for C2.
Data Exfiltration: Legitimate utilities like FileZilla and Rclone are used for data exfiltration.
New Component - NetMonitor.exe:
A new executable named NetMonitor.exe masquerades as a network monitoring tool but functions as a reverse proxy, allowing threat actors to connect to the host from outside the victim's network.
Mitigations Recommended by CISA and FBI:
Implement application controls.
Limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
Restrict PowerShell usage.
Implement phishing-resistant multi-factor authentication.
Segment networks.
Keep all systems up-to-date.
Maintain periodic offline backups.
Ransomware Trends in 2023:
Ransomware attacks have witnessed a surge in 2023.
Threat actors are deploying ransomware within one day of initial access in over 50% of engagements.
Exploitation of public-facing applications, stolen credentials, and off-the-shelf malware are the three largest initial access vectors.
Conclusion:
The AvosLocker ransomware gang poses a significant threat to critical infrastructure sectors in the U.S. Their sophisticated tactics, including the use of legitimate tools and evasion techniques, make them a formidable adversary. Organizations are urged to implement the recommended mitigations to bolster their defenses against such attacks.
 Uncover AvosLocker Ransomware Attacks on Critical Infrastructure){kind=link}