An alarming trend has emerged as the AvosLocker ransomware group has been implicated in attacks targeting crucial infrastructure sectors across the United States, with some incidents surfacing as recently as May 2023. This information comes from a comprehensive cybersecurity advisory jointly issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The advisory sheds light on the tactics, techniques, and procedures (TTPs) employed by the ransomware-as-a-service (RaaS) operation.
CISA and the FBI reported that AvosLocker affiliates often gain access to organizational networks using widely available software and open-source system administration tools. Once they penetrate a network, the group utilizes exfiltration-based data extortion strategies, threatening to leak or publish the stolen information if their demands are not met.
This ransomware variant first appeared in mid-2021 and has continuously evolved, deploying advanced methods designed to evade detection, including disabling antivirus software. AvosLocker strains have been known to affect a variety of environments, including Windows, Linux, and VMware ESXi.
A key feature of AvosLocker’s operations is the use of living-off-the-land (LotL) techniques, which allow attackers to conceal their actions by leveraging existing software tools without leaving significant traces. Utilities such as FileZilla and Rclone are frequently employed for data exfiltration, alongside tunneling tools like Chisel and Ligolo. The attackers have also demonstrated the ability to utilize command-and-control (C2) frameworks such as Cobalt Strike and Sliver while employing credential theft techniques with tools like Lazagne and Mimikatz.
The advisory identifies the unauthorised use of custom web shells that facilitate continuous network access and highlights a new executable, NetMonitor.exe. This tool masquerades as a legitimate network monitoring application but operates as a reverse proxy, enabling threat actors to maintain connections to the infected networks remotely.
In response to this escalating threat, CISA and the FBI are urging critical infrastructure organizations to implement robust cybersecurity measures. Recommended strategies include adopting application controls, limiting access to remote desktop protocols, restricting PowerShell usage, instituting phishing-resistant multi-factor authentication, and ensuring regular system updates and offline backups.
The rapid evolution of ransomware tactics is underscored by data showing that threat actors are deploying ransomware within one day of initial access in over 50% of cases. This represents a significant decline from the previous average dwell time of 4.5 days observed in 2022. Additional findings indicate that ransomware is being executed within as little as five hours in over 10 percent of reported incidents, highlighting the urgency for organizations to enhance their cybersecurity posture.
Various attack vectors have been identified, including exploitation of public-facing applications, use of compromised credentials, and reliance on external remote services. The MITRE ATT&CK framework could characterize aspects of these incursions under initial access, persistence, and privilege escalation tactics. In light of this, organizations should be vigilant against known misconfigurations and weaknesses, which have been historically weaponized in ransomware operations.
Lastly, the RaaS model and the availability of leaked ransomware code serve to lower the barriers for entry into cybercrime, allowing even novice attackers to exploit vulnerabilities for financial gain. Despite ongoing law enforcement efforts to dismantle prominent threat groups, the landscape of cybercrime continues to expand, driven by a combination of established players and newly emerging adversaries.
As the cyber threat landscape grows ever more complex, businesses must remain vigilant and proactive in their defense measures against ransomware and other evolving cyber threats.
