CISA Updates #StopRansomware Advisory for AvosLocker

Category: Ransomware News | Industry: Global | Source: CISA

In a joint Cybersecurity Advisory (CSA) released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), updated details surrounding the AvosLocker ransomware gang have been shared. AvosLocker is a ransomware-as-a-service (RaaS) entity that has caused havoc, with incidents identified as recently as May 2023. This threat operates across various critical infrastructure sectors within the United States, targeting Windows, Linux, and VMware ESXi environments. Like many ransomware groups, AvoLockers aims to leverage the threat of data encryption and theft for double-extortion.

The AvosLocker affiliates exhibit a propensity for leveraging legitimate software and open-source tools during their ransomware operations. These tools encompass a range of tactics, such as utilizing remote system administration tools, executing scripts to employ native Windows tools, employing open-source networking tunneling tools, maintaining command and control through tools like Cobalt Strike and Sliver, and employing credential harvesting techniques using tools like Lazagne and Mimikatz. Moreover, for data exfiltration, AvosLocker affiliates utilize tools like FileZilla and Rclone. The FBI has reported the use of various custom PowerShell and batch scripts for lateral movement, privilege escalation, and disabling antivirus software, reinforcing the sophistication and adaptability of this threat group. Custom webshells have been employed to facilitate network access and further their malicious activities.

CISA provides a comprehensive list of recommended mitigation steps for organizations to adopt, addressing the evolving threat of AvosLocker ransomware. These steps encompass securing remote access tools, imposing strict restrictions on RDP and remote desktop services, securing and monitoring PowerShell usage, and consistently updating software with the latest patches.