In a critical update regarding the AvosLocker ransomware, the FBI and CISA have collaborated to issue a joint Cybersecurity Advisory (CSA) aimed at reinforcing defenses against this threat. This advisory is part of the broader #StopRansomware initiative, showcasing various ransomware variants and their associated tactics to provide organizations with essential protective measures.
"This advisory includes recently and historically observed tactics, techniques, and procedures, along with indicators of compromise to help organizations protect against ransomware," stated the FBI in their announcement. This updated information highlights the risk posed by AvosLocker, which operates predominantly through a ransomware-as-a-service (RaaS) model.
"This advisory includes recently and historically observed tactics, techniques, and procedures, along with indicators of compromise to help organizations protect against ransomware,"
Since its emergence, AvosLocker affiliates have been responsible for compromises across various critical infrastructure sectors in the United States, affecting a wide range of environments, from Windows to Linux and VMware ESXi. The methodology employed by these affiliates is concerning; they utilize legitimate software and open-source remote administration tools to penetrate organizational networks.
"AvosLocker affiliates have compromised organizations’ networks by using legitimate software and open-source remote system administration tools," said CISA officials, underscoring the sophisticated nature of these attacks. This technique is especially alarming because it enables threat actors to blend into typical network operations.
"AvosLocker affiliates have compromised organizations’ networks by using legitimate software and open-source remote system administration tools,"
The advisory underscores the exfiltration-based data extortion tactics that AvosLocker affiliates deploy, threatening to leak or publish stolen data if their demands are not met. It is crucial for organizations to recognize these tactics as a significant threat. The risks have escalated, making it imperative for stakeholders to adopt robust security practices.
This updated advisory builds upon previously released guidance, specifically updating the March 2022 advisory concerning AvosLocker. It includes new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) not previously covered. "This update includes IOCs and TTPs not included in the previous advisory," said an FBI spokesperson, emphasizing the ongoing evolution of these threats.
"This update includes IOCs and TTPs not included in the previous advisory,"
Impact and Legacy
Organizations are encouraged to leverage the recommendations contained in this CSA to mitigate the potential impact of AvosLocker and other ransomware attacks. Implementing these suggested practices can significantly reduce both the likelihood of successful attacks and the extent of damage inflicted by any breaches.
The specific tactics used by AvosLocker affiliates are alarming. According to the advisory, they are known to use various legitimate tools, such as Notepad++, RDP Scanner, and 7zip, during their operations. They also utilize FileZilla and Rclone for data exfiltration, while tools like Lazagne and Mimikatz are employed to harvest credentials. Such revelations underscore the importance of maintaining vigilance and updated security protocols.
Additionally, the FBI has identified that AvosLocker affiliates employ certain techniques to enhance their access and control over compromised systems. “Affiliates use custom webshells to enable network access,” noted one FBI cyber analyst. They also execute custom PowerShell scripts and batch files to facilitate their operations, further illustrating the technical sophistication behind these attacks.
Impact and Legacy
CISA's advisory reiterates the necessity for organizations to understand these tactics and adapt accordingly. "Critical infrastructure organizations must also implement the recommendations in the Mitigations section to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents," the agency stated in the advisory.
"Critical infrastructure organizations must also implement the recommendations in the Mitigations section to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents,"
For organizations seeking to bolster their defenses, this advisory serves as a resource. The downloadable PDF report not only details IOCs but also offers insights into best practices to combat ransomware threats.
In summary, the evolving landscape of ransomware—especially concerning AvosLocker—underscores an urgent need for organizations to enhance their cybersecurity posture. As these threat actors continue to adapt their strategies, staying informed and prepared is essential for safeguarding critical infrastructure and sensitive data against the persistent threat of ransomware attacks. Organizations are advised to review the latest advisory and implement necessary changes to protect against such cyber threats.
