The FBI and the Treasury Department on Thursday issued a joint cybersecurity advisory to warn organizations in the United States about attacks involving ransomware named AvosLocker.
The advisory says AvosLocker has been used in attacks on various critical infrastructure sectors, including — but not limited to — critical manufacturing, financial services, and government facilities.
The impact of these attacks on critical infrastructure organizations is unclear. However, ransomware attacks such as the one that targeted Colonial Pipeline last year have led to the US taking significant steps to improve the cybersecurity of the country’s most important systems.
AvosLocker is offered as ransomware-as-a-service (RaaS) and its users claim to have targeted organizations around the world, including the United States, the United Kingdom, Germany, Spain, Belgium, Canada, China, Taiwan, Turkey, the United Arab Emirates, Saudi Arabia and Syria.
AvosLocker attacks involve a piece of ransomware that encrypts files on the victim’s systems, as well as the theft of sensitive information in an effort to convince the victim to pay up.
The ransomware operators run a Tor-based website where they name the victims that refuse to pay and publish stolen data. On this site they also inform visitors that the data of victims that don’t pay is up for sale.
In some cases, the attackers call up the victim and inform them that the ransom can be negotiated. The hackers may also launch DDoS attacks against the victim during negotiations.
The FBI and the Treasury Department have made available indicators of compromise (IoC) to help organizations detect AvosLocker attacks. They have also shared information on the vulnerabilities exploited by the cybercriminals and the tools they use. Some general mitigations and other relevant resources are also made available to organizations.
However, the advisory notes, “AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets. As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion.”