Critical infrastructure
Malware, Phishing & Ransomware
Manufacturing
News
Risk & Compliance
Threat Landscape
Vulnerabilities

US critical infrastructure sector under threat from AvosLocker ransomware, agencies find

March 21, 2022
US critical infrastructure sector under threat from AvosLocker ransomware, agencies find

U.S. agencies identified that the AvosLocker affiliate-based group has targeted multiple critical infrastructure sectors in the nation, including, but not limited to, the financial services, critical manufacturing, and government facilities sectors. AvosLocker has been classified as a Ransomware as a Service (RaaS) hacker group, often recognized by security agencies as increasingly ‘professional’ with a well-established criminal business model. 

“AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” according to a joint cybersecurity advisory (CSA) issued by the Federal Bureau of Investigation (FBI), in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN). “As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion,” it added.

“The AvosLocker ransomware encrypts files on a victim’s server and renames them with the ‘.avos’ extension. AvosLocker actors then place ransom notes on the victim server and include a link to an AvosLocker .onion payment site,” the advisory identified. “Depending upon the affiliate, payments in Monero are preferred; however, they accept Bitcoin for a 10-25% premium,” it added. 

The advisory also observed that alleged representatives from the hacker group make phone calls to the victims to direct them to the payment site to negotiate. “Multiple victims have also reported that AvosLocker negotiators have been willing to negotiate reduced ransom payments,” it added.  

The advisory said that the AvosLocker leak site claims to have targeted victims in the U.S., Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan. “The leak site includes samples of stolen victim data and threatens to sell the data to unspecified third parties if a victim does not pay the ransom. AvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems,” it added. 

The ransomware samples contained optional command-line arguments that an attacker could supply to enable/disable certain features, the advisory added.

It found that AvosLocker ransomware creates a mutex object for use as an infection marker to avoid infecting a system twice. “Prior to encryption, the ransomware maps accessible drives and enumerated files in directories. It then encrypts files while creating a ransom note named ‘GET_YOUR_FILES_BACK.txt’ in every directory,” it added. 

In observed cases, encrypted files have the file extension ‘.avos’, ‘.avos2,’ or ‘AvosLinux,’ the advisory said. “Infected directories have a text file entitled ‘GET_YOUR_FILES_BACK.txt’. In some cases, the text from the text file reproduces on the desktop wallpaper of infected servers. The ‘GET_YOUR_FILES_BACK.txt’ file directs victims to an onion site accessible via a TOR browser, where the victim is prompted to enter an ID provided to them in the ransom note,” it added. 

The advisory also found that the hackers publish victim exfiltrated data on the group’s public leak site if victims do not negotiate or pay the ransom. “The AvosLocker public leak site is separate from the site AvosLocker directs victims to in the ‘GET_YOUR_FILES_BACK.txt’ file. The public leak site lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim’s network. The leak site gives visitors an opportunity to view a sample of victim data and to purchase victim data,” it added. 

The agencies also identified phone calls and DDOS attacks. In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. “The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations,” it added.

Other tools associated with AvosLocker ransomware attacks include Cobalt Strike, encoded PowerShell scripts, PuTTY Secure Copy client tool ‘pscp.exe,’ Rclone, AnyDesk, Scanner, advanced IP Scanner, and WinLister, the advisory said.

Last week, the U.S. security agencies warned organizations, after Russian state-sponsored hackers gained network access to a non-governmental organization (NGO). The adversaries gained access by exploiting default multi-factor authentication (MFA) protocols and a Windows Print Spooler ‘PrintNightmare’ vulnerability that runs arbitrary code with system privileges.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market