The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023.
That’s according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation’s tactics, techniques, and procedures (TTPs).
“AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools,” the agencies said. “AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.”
The ransomware strain first emerged on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environments.
A key hallmark of AvosLocker attacks is the reliance on open-source tools and living-off-the-land (LotL) tactics, leaving no traces that could lead to attribution. Also used are legitimate utilities like FileZilla and Rclone for data exfiltration as well as tunneling tools such as Chisel and Ligolo.
Command-and-control (C2) is accomplished by means of Cobalt Strike and Sliver, while Lazagne and Mimikatz are used for credential theft. The attacks also employ custom PowerShell and Windows Batch scripts for lateral movement, privilege escalation, and disarming security software.
“AvosLocker affiliates have uploaded and used custom web shells to enable network access,” the agencies noted. Another new component is an executable named NetMonitor.exe that masquerades as a network monitoring tool but actually functions as a reverse proxy to allow the threat actors to connect to the host from outside the victim’s network.
CISA and FBI are recommending critical infrastructure organizations to implement necessary mitigations to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents.
This includes adopting application controls, limiting the use of RDP and other remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping all systems up-to-date, and maintaining periodic offline backups.
The development comes as Mozilla warned of ransomware attacks leveraging malvertising campaigns that trick users into installing trojanized versions of Thunderbird, ultimately leading to the deployment of file-encrypting malware and commodity malware families such as IcedID.
Ransomware attacks in 2023 have witnessed a major surge, even as threat actors are moving swiftly to deploy ransomware within one day of initial access in more than 50% of engagements, according to Secureworks, dropping from the previous median dwell time of 4.5 days in 2022.
What’s more, in more than 10 percent of incidents, ransomware was deployed within five hours.
“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection,” Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit, said.
“As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.”
Exploitation of public facing applications, stolen credentials, off-the-shelf malware, and external remote services have emerged as the three largest initial access vectors for ransomware attacks.
Per latest guidance from CISA, remote desktop protocol (RDP), file transfer protocol (FTP), TELNET, Server Message Block (SMB), and Virtual Network Computing (VNC) are some of the misconfigurations and weaknesses that are known to have been commonly weaponized in ransomware campaigns.
To rub salt into the wound, the RaaS model and the ready availability of leaked ransomware code have lowered the barrier to entry for even novice criminals, making it a lucrative avenue to make illicit profits.
“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks,” Smith added. “Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace.”
Microsoft, in its annual Digital Defense Report, said 70% of organizations encountering human-operated ransomware had fewer than 500 employees, and that 80 to 90 percent of all compromises originate from unmanaged devices.
Telemetry data gathered by the company shows that human-operated ransomware attacks have gone up more than 200 percent since September 2022. Magniber, LockBit, Hive, and BlackCat comprised almost 65 percent of all ransomware encounters.
On top of that, approximately 16 percent of recent successful human-operated ransomware attacks involved both encryption and exfiltration, while a 13 percent used exfiltration only.
“Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks,” the tech giant said. “This reinforces the importance of a holistic security approach.”
Redmond said it also observed a “sharp increase” in the use of remote encryption during human-operated ransomware attacks, accounting for 60 percent on average over the past year.
“Instead of deploying malicious files on the victim device, encryption is done remotely, with the system process performing the encryption, which renders process-based remediation ineffective,” Microsoft explained. “This is a sign of attackers evolving to further minimize their footprint.”