The Federal Bureau of Investigation (FBI) has issued a report of cybercriminals using AvosLocker ransomware to target entities across critical infrastructure sectors. The report includes the latest indicators of compromise (IoC) on the ransomware threat.
AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group who has been known to target entities in Critical Financial Services, Critical Manufacturing, and Government Facilities.
The FBI summarized the threat in a new joint cybersecurity advisory published March 17, 2022:
“AvosLocker ransomware encrypts files on a victim’s server and renames them with the ‘.avos’ extension. AvosLocker actors then place ransom notes on the victim server and include a link to an AvosLocker .onion payment site.”
The actors typically accept Monero for ransom payments, but will also accept Bitcoin for a 10-25% premium.
Moreover, the AvosLocker ransomware is a multi-threaded Windows executable written in C++. The malware runs as a console application and displays various logs of activity performed on victims’ systems.
Affected Vulnerabilities
According the FBI, multiple entities have reported on-premise Microsoft Exchange Server vulnerabilities were likely exploited, such as the ProxyShell vulnerabilities that were discovered last year.
The ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were patched by Microsoft as part of May 2021 patch updates. One of those, CVE-2021-34473, could result in remote code execution.
Finally, readers can check out the FBI report for more details on AvosLocker to include indicators of compromise (IoC), tools used and recommended mitigations.