FBI and CISA Issue Updated Advisory on AvosLocker Ransomware


October 17, 2023

World map

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an advisory on the targeting of critical infrastructure by the AvosLocker ransomware operators.

"AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments," the advisory notes (PDF).  

"AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data."

Takeaway: AvosLocker is a threat actor that was first observed in July of 2021, and follows the RaaS model. AvosLocker attacks typically leverage vulnerability exploits and are adept at evading security tools by using polymorphic techniques for payloads and running in Safe Mode.

While not nearly as prolific as leading threat actors, AvosLocker was more active in 2022 and early 2023, but may be showing signs of a resurgence. AvosLocker began with ransom demands in the hundreds of thousands of dollars but increased those demands into the millions of dollars over time.

AvosLocker attacks leverage legitimate open-source tools through living-off-the-land (LotL) tactics for lateral movement including Cobalt Strike and Sliver for C2, Lazagne and Mimikatz for credential theft, tunneling tools such as Chisel and Ligolo, as well as resources like Rclone and FileZilla for data exfiltration that significantly reduce the likelihood of being detected on the targeted network.

AvosLocker also abuses remote system administration tools like Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent for backdoor access to the network.

AvosLocker is written in C++ and has versions for Windows, Linux, and VMware EXSi. It uses the legitimate AnyDesk software to access victim machines and leverages legitimate anti-debugging services for obfuscation.  

When possible, AvosLocker will delete system restore points, VSS shadow copies, and any backups to thwart recovery efforts. Older versions use RSA AES-256 and ChaCha20 for encryption, while newer versions use Salas20 for file encryption then it encrypts the file encryption keys with RSA AES-256.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.