FBI: AvosLocker Ransomware targets victims in critical infrastructure sectors

ransomware, cybersecurity, cyber-3998798.jpg

The Federal Bureau of Investigation (FBI) has issued a report of cybercriminals using AvosLocker ransomware to target entities across critical infrastructure sectors. The report includes the latest indicators of compromise (IoC) on the ransomware threat.

AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group who has been known to target entities in Critical Financial Services, Critical Manufacturing, and Government Facilities.

The FBI summarized the threat in a new joint cybersecurity advisory published March 17, 2022:

“AvosLocker ransomware encrypts files on a victim’s server and renames them with the ‘.avos’ extension. AvosLocker actors then place ransom notes on the victim server and include a link to an AvosLocker .onion payment site.”

The actors typically accept Monero for ransom payments, but will also accept Bitcoin for a 10-25% premium.

Moreover, the AvosLocker ransomware is a multi-threaded Windows executable written in C++. The malware runs as a console application and displays various logs of activity performed on victims’ systems.

Affected Vulnerabilities

According the FBI, multiple entities have reported on-premise Microsoft Exchange Server vulnerabilities were likely exploited, such as the ProxyShell vulnerabilities that were discovered last year.

The ProxyShell vulnerabilities (CVE-2021-34473CVE-2021-34523CVE-2021-31207) were patched by Microsoft as part of May 2021 patch updates. One of those, CVE-2021-34473, could result in remote code execution.

Finally, readers can check out the FBI report for more details on AvosLocker to include indicators of compromise (IoC), tools used and recommended mitigations.

Related Articles