In an ongoing effort to combat ransomware threats, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to release a comprehensive Cybersecurity Advisory (CSA) shedding light on AvosLocker ransomware. This advisory arms organizations with vital information to identify Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with this ransomware variant.
Unveiling AvosLocker: A Ransomware as a Service (RaaS) Menace
AvosLocker is a notorious Ransomware as a Service (RaaS) group that operates with affiliates. These cybercriminals have set their sights on various critical infrastructure sectors within the United States, including Financial Services, Critical Manufacturing, and Government Facilities. AvosLocker not only handles ransom negotiations but also publishes and hosts exfiltrated victim data, upping the stakes for affected organizations.
How AvosLocker Operates: Technical Insights
AvosLocker ransomware encrypts files on a victim’s server, appending the “.avos” extension to them. Following encryption, the actors leave ransom notes on the victim server and provide a link to the AvosLocker payment site. Payment, usually in Monero, is demanded; however, Bitcoin is also accepted at a premium. Shockingly, alleged AvosLocker representatives have been reported to call victims, directing them to the payment site and even negotiating ransom amounts.
The ransomware operates on Windows systems, written in C++. It employs various optional command line arguments, allowing attackers to manipulate certain features.
Unveiling the Extent of the Threat: Geographical Reach and Data Exposure
AvosLocker ransomware has targeted victims not only in the United States but also in countries like Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan. The severity of the threat is compounded by the fact that AvosLocker actors threaten to sell stolen data to unidentified third parties if victims refuse to pay the ransom.
AvosLocker’s Methods and Targets: Vulnerabilities and Intrusion Vectors
Victims have reported that the likely intrusion vector for AvosLocker is through vulnerabilities in on-premise Microsoft Exchange Servers. Specific vulnerabilities associated with CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, and CVE-2021-26855 have been pinpointed as potential entry points, highlighting the importance of promptly patching and securing systems against these known vulnerabilities.
Taking a Stand: Mitigations and Best Practices
In the face of this evolving threat, organizations are urged to take proactive measures to protect their systems and data. Implementing a comprehensive recovery plan, maintaining secure and segmented backups, regularly updating antivirus software, and enforcing strong password policies are among the crucial steps that can bolster an organization’s defense against ransomware attacks.
Ensuring network segmentation, auditing user accounts, and providing cybersecurity training to users are equally vital components of a resilient cybersecurity strategy.
As the battle against ransomware rages on, collaboration and information sharing remain critical in empowering organizations to stay one step ahead of cyber threats like AvosLocker. Stay informed, stay vigilant, and together let’s #StopRansomware.
Follow The420.in on