FBI and CISA Unveil Joint Cybersecurity Advisory to Combat AvosLocker Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a comprehensive joint cybersecurity advisory to combat the rising threat of ransomware.

This advisory aims to raise awareness of the AvosLocker ransomware, providing essential information to help users and experts better understand this malicious variant and bolster their defenses against it. The release is part of a broader initiative, #StopRansomware, focused on sharing critical technical details related to ransomware operations.

Emergence and Evolution of AvosLocker

AvosLocker, a ransomware-as-a-service (RaaS) variant, debuted on the threat landscape in September 2021, and has steadily expanded its horizons. Since January, the criminal group has incorporated encryption mechanisms specifically targeting Linux systems, including VMware ESXi servers.

This contrasts with many similar operations that primarily focus on Windows systems. The criminal operators even advertised a variant of their malicious tool, AvosLinux, designed to support Linux and ESXi servers.

Key Insights from the Advisory

The joint cybersecurity advisory sheds light on AvosLocker's tactics, techniques and procedures (TTPs), including indicators of compromise (IOCs).

It reveals that AvosLocker affiliates gain initial access to victims' networks using a combination of open-source remote system administration tools and legitimate software, quietly penetrating network defenses. The advisory lists various tools and methods employed by the perpetrators, such as:

• Remote system administration tools (e.g., PuTTY, Splashtop Streamer, AnyDesk)
• Utilizing open-source networking tunneling tools such as Chisel and Ligolo
• Legitimate software like Notepad++, 7zip and RDP Scanner
• Execution of native Windows tools via scripts (e.g., Nltest or PsExec)
• Establishment of a Command and Control (C2) center using Cobalt Strike and Sliver
• Harvesting sensitive data, including credentials, using tools like Lazagne and Mimikatz
• Data exfiltration via FileZilla and Rclone

Security experts have observed AvosLocker affiliates executing privilege escalation, lateral movement and the disabling of antivirus software on compromised networks. This is achieved through the use of PowerShell and batch (.BAT) scripts and custom webshells for network access.

Mitigation and Recommendations

The FBI and CISA have offered crucial recommendations for organizations to defend against AvosLocker and similar threats. These include:

• Strictly limiting Remote Desktop Protocol (RDP) and other remote desktop services.
• Implementing PowerShell restrictions to prevent the execution of malicious scripts.
• Disabling command-line and scripting permissions and activities.
• Implementing application controls.
• Keeping Windows PowerShell and PowerShell Core up to date to mitigate known vulnerabilities.
• Configuring the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.

Additionally, specialized software like Bitdefender Ultimate Security can detect anomalous activity on vulnerable systems and mitigate attacks.

Regular data backups, including cold backup copies stored offline, ensure data availability in case of system encryption. Encrypting sensitive documents is also effective against data leaks, preventing perpetrators from exploiting them for extortion.