Several US authorities have released a new alert warning of the threat to critical infrastructure (CNI) providers from the AvosLocker ransomware group.
The ransomware-as-a-service affiliate operation is targeting financial services, manufacturing and government entities, as well as organizations in other sectors, the report revealed.
Victims reportedly hail from all over the globe, including the US, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the UK, Canada, China and Taiwan.
While double extortion is a common tactic used by affiliates to force payment, some groups using the malware variant have taken an even more hands-on approach.
“In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online,” the advisory said. “In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.”
The report, Indicators of Compromise Associated with AvosLocker Ransomware, was co-authored by the FBI, the Treasury and the latter’s Financial Crimes Enforcement Network (FinCEN). As the name suggests, it’s designed to help network defenders spot and mitigate the IoCs indicating an AvosLocker attack.
However, these will vary depending on the affiliate group involved, the report admitted.
IoCs include: persistence mechanisms such as modification of Windows Registry “Run” keys and the use of scheduled tasks; abuse of legitimate tooling such as Cobalt Strike, PowerShell, WinLister and AnyDesk; and targeting of on-premises Microsoft Exchange servers with Proxy Shell exploits.
The report concluded with a long list of mitigations, including network segmentation, prompt patching, multi-factor authentication and the disabling of unused ports.
AvosLocker hasn’t always targeted critical infrastructure. In October last year, it hit Chicago-based confectionary maker Ferrara just before Halloween.