The joint Cybersecurity Advisory (CSA) published by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides known IOCs, TTPs, and detection methods associated with the AvosLocker ransomware variant employed in recent attacks.
The joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort aimed at sharing technical details associated with various ransomware operations.
The AvosLocker ransomware-as-a-service emerged in the threat landscape in September 2021, since January the group expanded its targets by implementing support for encrypting Linux systems, specifically VMware ESXi servers.
AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.
This joint CSA updates the advisory published by the US Government on March 17, 2022.
AvosLocker affiliates use legitimate software and open-source remote system administration tools to compromise the victims’ networks.
Some of the open-source tools used by the affiliates include:
AvosLocker affiliates were observed using custom PowerShell [T1059.001] and batch (.bat) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software. Threat actors were also observed uploading and use custom webshells to enable network access [T1505.003].
The joint cybersecurity advisory also includes YARA rule for network defenders to detect the activity of the malware.
CISA and the FBI recommend to secure remote access tools by:
The advisory also recommends organizations exercise, test, and validate their security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.
FBI and CISA recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
(SecurityAffairs – hacking, AvosLocker ransomware)