The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to share known indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant identified through FBI investigations as recently as May 2023.
U.S. critical infrastructure organizations across several industries — including government, financial services, and critical manufacturing — have been targeted by the AvosLocker ransomware-as-as-service (RasS) operation.
Last week's advisory updated the March 17, 2022, joint CSA released by FBI, CISA, and the Department of the Treasury’s Financial Crimes Enforcement Network. The update included IOCs and TTPs not included in the previous advisory, as well as a YARA rule developed after analyzing a tool associated with an AvosLocker compromise.
AvosLocker’s track record of successful cyberattacks against U.S. critical infrastructure have elevated this threat to justify a government advisory from CISA and the FBI providing known IOCs, TTPs, as well as detection methods, said Darren Guccione, co-founder and CEO at Keeper Security. Guccione said the federal agencies offer concrete actions that can help to mitigate risk and impact of AvosLocker and other cyberthreats.
“CISA and FBI recommend adopting application controls, limiting the use of remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping systems up-to-date, and maintaining offline backups,” said Guccione. “As ransomware operators like AvosLocker evolve their tactics, protecting your organization requires a layered approach.”
Craig Jones, vice president of security operations at Ontinue, added that the nature of threats targeting critical infrastructure such as AvosLocker will likely continue to evolve in line with technological advancements. Jones said it’s noteworthy because as infrastructure becomes progressively connected and dependent on digital systems, the possible attack surface for cybercriminals increases.
“We can expect to see more sophisticated attacks that exploit specific vulnerabilities in these systems,” said Jones. “Furthermore, the swelling value of data may lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information.”