In 2023, the United States faced a significant cybersecurity threat with the rise of AvosLocker ransomware attacks targeting critical infrastructure. A joint advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) shed light on this perilous development. This blog will delve into the details of the AvosLocker ransomware, the tactics employed by the attackers, and the broader trends in ransomware attacks in 2023.
The AvosLocker ransomware gang is a notorious group known for its attacks on critical infrastructure sectors in the United States. What sets AvosLocker apart is its sophisticated use of tactics, techniques, and procedures (TTPs) to infiltrate networks, exfiltrate data, and encrypt vital systems.
- Stealthy Compromises: AvosLocker affiliates employ legitimate software and open-source remote system administration tools to compromise organizations' networks. This stealthy approach makes detection and attribution challenging.
- Data Exfiltration and Extortion: The attackers resort to data exfiltration-based extortion tactics, threatening to leak or publish stolen data. This adds an extra layer of pressure on victims.
- Cross-Platform Targeting: AvosLocker is not limited to Windows systems. It affects Windows, Linux, and VMware ESXi environments, making it a versatile threat.
- Living-Off-The-Land Tactics: AvosLocker relies on open-source tools and living-off-the-land (LotL) techniques, leaving minimal traces behind, further complicating attribution efforts.
- Malicious Tools: The attackers employ a range of malicious tools, including Cobalt Strike and Sliver for command and control, Lazagne and Mimikatz for credential theft, and custom PowerShell and Windows Batch scripts for lateral movement.
- Web Shells and Reverse Proxies: AvosLocker affiliates utilize custom web shells to gain network access and employ an executable named NetMonitor.exe, masquerading as a network monitoring tool but serving as a reverse proxy to maintain external connections.
In response to the growing threat of AvosLocker ransomware and ransomware attacks in general, CISA and FBI have outlined critical recommendations for organizations, especially those in critical infrastructure sectors. These include:
- Implement Application Controls: Employ robust application controls to limit unauthorized software installations.
- Restrict Remote Desktop Services: Limit the use of remote desktop protocol (RDP) and other remote desktop services, reducing potential attack vectors.
- Control PowerShell Usage: Restrict PowerShell usage, which is frequently abused by threat actors for malicious activities.
- Phishing-Resistant Multi-Factor Authentication: Implement phishing-resistant multi-factor authentication to enhance security.
- Network Segmentation: Segment networks to contain potential breaches and limit lateral movement.
- Regular Backups: Maintain periodic offline backups to mitigate data loss in case of ransomware attacks.
Aside from the AvosLocker threat, 2023 has witnessed alarming trends in ransomware attacks:
- Swift Deployments: Threat actors are rapidly deploying ransomware within one day of initial access in over 50% of engagements, reducing the median dwell time from 4.5 days in 2022 to just five hours in more than 10% of incidents. This speed is aimed at avoiding detection.
- Initial Access Vectors: The three largest initial access vectors for ransomware attacks are exploitation of public-facing applications, stolen credentials, and off-the-shelf malware. These vulnerabilities are consistently weaponized by attackers.
- Ransomware-as-a-Service (RaaS) Model: The availability of RaaS and leaked ransomware code has made it easier for even novice criminals to launch ransomware attacks, making it a lucrative avenue for illicit profits.
- Human-Operated Ransomware: Microsoft's data reveals a significant increase in human-operated ransomware attacks, with over 200% growth since September 2022. Smaller organizations are increasingly becoming targets.
- Remote Encryption: Attackers are now using remote encryption, rendering traditional process-based remediation ineffective. This approach minimizes their footprint and makes defending against attacks more challenging.
The emergence of AvosLocker ransomware and the evolving tactics of threat actors underscore the pressing need for robust cybersecurity measures. Organizations, particularly those in critical infrastructure sectors, must heed the recommendations of CISA and FBI to reduce the likelihood and impact of ransomware incidents. Additionally, the swift evolution of ransomware attacks in 2023 requires a holistic security approach and constant vigilance to protect against these ever-growing threats.