FBI Posts Warning About AvosLocker Ransomware

The FBI has warned of a ransomware which uses DDoS to threaten victims of its attacks. AvosLocker “claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” said the FBI’s Intent Crime Center (ICS) report. AvosLocker RaaS launched in July 2021 and has continued to attack US critical infrastructure.

Peter Stelzhammer, Co-Founder, AV-Comparatives offered up this advice:

“Never ever pay the Ransomware – have back-ups.” 

“Ransomware is a type of malware that is capable of encrypting a victim’s files. In order to restore access for the victim, the attacker demands a ransom. This amount can range from a few hundred to millions of dollars or euros. It is believed that the first ransomware attack took place in 1989 and the healthcare industry was the target. Three decades later, ransomware attacks continue to grow rapidly and pose greater challenges to businesses than ever before.”  

“As the entire world underwent a significant shift in digital direction due to the 2020 pandemic, cyber threats to businesses also skyrocketed.  According to studies, the third quarter of 2020 saw a 139% year-over-year increase in ransomware attacks compared to the third quarter of 2019. These attackers not only hold networks or data hostage, they also exfiltrate data and threaten to release it if their financial demands are not met.”

“In recent years, there has been an evolution in the nature of ransomware attacks. Compared to old-school attacks, we are now seeing the use of coordinated and strategic ransomware. This new technique involves deep penetration of target systems instead of simply sending a series of spam emails with attachments. These security incidents are commonly referred to as “big-game hunting” and begin with an initial vector. The most common of these vectors include:”  

  • Phishing: Attackers impersonate someone they are not, such as a representative of a bank or telecommunications company, to obtain victims’ passwords, account information, etc.” 
  • Network vulnerability: If the software of network devices is not patched, attackers can easily exploit this vulnerability to initiate ransomware attacks.”
  • Remote desktop protocol: cyber perpetrators can also access a device via a remote desktop software tool and grab information.”

“Looking at the current state of affairs, it is likely that combating ransomware will be a top priority for cybersecurity professionals in the coming years. Some of the recommended measures to reduce the risk of a ransomware attack include:  

  • Using an effective spam filter 
  • Configuring desktop extensions 
  • Filtering out files with typical malicious extension from emails   
  • Blocking malicious JavaScript files 
  • Rights management 
  • Ensuring all software is updated with the latest security patches 
  • Move to a zero-trust architecture  
  • Prioritizing assets and evaluating traffic 
  • Implement strict policies at segmentation gateways, application level, and in NGFWs. 
  • Adaptive monitoring and tagging 
  • Additional threat protection through the use of a cloud access security broker (CASB) 
  • Rapid response testing 
  • Consistent updating of anti-ransomware software  
  • Storage of backups offline 
  • Block advertising 
  • Updating email gateways 
  • Raising awareness of ransomware among employees”

This ransomware, and the people behind it are very unique as I’ve never heard of anything like this where you get phone calls, threats of DDoS attacks and the like. I can see how this would warrant a warning from the FBI, which means that enterprises everywhere should take this seriously.

UPDATE: Saryu Nayyar, CEO and Founder, Gurucul added this commentary:

“This is another example of pen testing tools weaponized for usage by threat actors. The DDoS is a new twist where those types of attacks used to be commonly run to help malware exploits slip passed overrun resources similar to a mob distracting guards to allow the true threat to slip passed defenses. In this case, it is used as punishment for negotiations not going so well. These types of ransomware attacks show that current XDR and SIEM solutions are insufficient at preventing the successful data theft and detonation of the payload. The time it takes for these platforms to detect the various techniques and tools used to evade current defenses has proven to be too late to prevent damage and loss.  A solution incorporating a large set of machine learning models that are self-training along with behavioral analytics to identify the unusual activity can also adapt to the newer attack techniques being implemented and is therefore more apt to stop the attack at different points in the kill chain.  Very few solutions can automatically correlate, analyze and prioritize an emerging attack campaign like this out-of-the-box to prevent the ransomware attack from being successful.” 

UPDATE #2: Saumitra Das, CTO and Cofounder of Blue Hexagon had this to say:

“Ransomware has recently moved to using double extortion and triple extortion so that they can extract payment for leverage, not just by encrypting files which tends to be harder. This is a newer technique that is somewhat connected to threats of disrupting servers in an affected organization from the inside. The key new aspect here is the threat of DDoS from outside instead of disrupting processes in internal machines.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: