Chris Swagler | March 24th, 2022

The Federal Bureau of Investigation (FBI), in a joint cybersecurity advisory with the United States Treasury Department and the Financial Crimes Enforcement Network (FinCEN), issued a warning about AvosLocker ransomware being used to target multiple United States critical infrastructure sectors. AvosLocker is a Ransomware-as-a-Service (RaaS) affiliate group that targets victims across various critical infrastructure sectors in the United States, including financial services, manufacturing, and government facilities. AvosLocker handles ransom negotiations and publishes and hosts the victim’s exfiltrated data after their affiliates infect the targets. The indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and those specific to the individual affiliate responsible for the intrusion. In order to defend AvosLocker regardless of the IOC, SpearTip runs a 24/7 Security Operations Center (SOC) in which certified engineers engage in continuous threat hunting and immediately neutralize suspicious activity.

AvosLocker ransomware encrypts the files on the victim’s server and renames the files with the “.avos” extension. The threat actors place ransom notes on the victim’s server and provide a link to a “.onion” payment site. The threat actors prefer payments in Monero, but accept Bitcoin for a 10-25% premium. Samples of the stolen data were included in the leak site along with threats to sell the data to unspecified third parties if the victims do not pay the ransom. AvosLocker ransomware utilizes a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victims’ systems. Threat operators can supply optional command line parameters to enable or disable specific features in AvosLocker ransomware samples.

To avoid infecting a system twice, AvosLocker ransomware produces a mutex object to serve as an infection marker. The malware maps accessible drives and counted files in directories before encrypting them. It encrypts files and leaves a ransom letter in each directory called “GET_YOUR_FILES_BACK.txt.” In these situations, encrypted files include the file extensions “.avos”, “.avos2” or “AvosLinux”. The “GET YOUR FILES BACK.txt” file directs victims to an onion site that may be accessed with a TOR browser and prompts them to enter an ID provided in the ransom notes.

The threat actors publish the victim’s exfiltrated data on the AvosLocker public leak site if the victims don’t negotiate or pay the ransom. The public leak site is separate from the site AvosLocker directs victims to in the “GET_YOUR_FILES_BACK.txt” file. The site lists AvosLocker’s victims and samples of stolen data and gives visitors an opportunity to view a data sample and purchase additional data. The victims receive phone calls from an AvosLocker representative, encouraging victims to go to the onion site to negotiate and threatening to post the stolen data more publicly online. The threat actors will also threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.

The use of scheduled tasks and the modification of Windows Registry “Run” keys are two persistence mechanisms used on victims’ systems. Other tools used in AvosLocker ransomware attacks include Cobalt Strike, Encoded PowerShell scripts, PuTTY Secure Copy client tool “pscp.exe”, Rclone, AnyDesk, Scanner, Advanced IP Scanner, and WinLister. Victims have mentioned on-premise Microsoft Exchange Server vulnerabilities as the intrusion vector. Some victims saw other vulnerabilities, including the Proxy Shell vulnerabilities associated to CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, and CVE-2021-26855.

With more ransomware groups targeting organizations across the critical infrastructure sectors, it’s important for companies to remain vigilant on the current threat landscape and update their data network security software. At SpearTip, our certified engineers are continuously monitoring networks and any incident to prevent data breaches in any critical infrastructure companies. ShadowSpear ensures the critical supplies and processes remain operable and provide efficient protection solutions in place to protect companies’ reputations, avoid downtime, and continue to provide vital services to the public. ShadowSpear is an unparalleled resource designed to integrate with the most complex networks and works with IT and OT technology.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.