The FBI has issues warning about ransomware that threatens victims with DDoS attacks

A newcomer to the ransomware-as-a-service sector is now focusing on critical infrastructure in the United States.
SIA Team
March 21, 2022

A newcomer to the ransomware-as-a-service sector is now focusing on critical infrastructure in the United States.

The US Federal Bureau of Investigations (FBI) has issued an advisory warning that AvosLocker, a ransomware-as-a-service threat that first appeared in July 2021, is still attacking vital infrastructure in the United States.

According to the FBI, the AvosLocker gang has targeted victims in financial services, key manufacturing, and government institutions in the United States.

The FBI’s Internet Crime Center (IC3) notes that AvosLocker claims to directly handle ransom negotiations, as well as the posting and hosting of exfiltrated victim data after its affiliates infect targets.

Last year, AvosLocker appeared on the ransomware market, cleverly bypassing anti-malware software by leveraging AnyDesk remote admin software in Windows Safe Mode. Based on news releases it posts on dark web forums to frighten victims and encourage affiliates, PaloAlto Networks believes AvosLocker is a marketing-savvy enterprise.

“AvosLocker provides technical assistance to victims who have been harmed by encryption software that the group claims is “fail-proof,” has low detection rates, and can handle big files,” according to Palo Alto Networks.

The group claims to have wreaked havoc on businesses in the United States, the United Kingdom, the United Arab Emirates, Belgium, Spain, and Lebanon, demanding ransoms ranging from $50,000 to $75,000.

According to the FBI, AvosLocker’s operators prefer ransom payments in Monero, a popular Bitcoin alternative, but will also accept Bitcoin at a premium of 10% to 25% over the current US dollar price. The FBI also advises that the group may call victims to pressurize them into making a bargain, which is an unusual action.

“In some cases, AvosLocker victims receive phone calls from an AvosLocker representative encouraging them to go to the onion site to negotiate and threatening to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations,” according to the FBI. Unfortunately, DDoS attacks are commonly available, inexpensive, and effective.

The AvosLocker software for Windows is developed in C++ and runs as a console application that tracks activity on victims’ computers and allows the attacker to remotely enable or disable certain functionalities.

It’s a so-called double-extortion scheme in which the criminals take as well as encrypt data. They take information and threaten to publish it on a website to get victims to pay. The gang also started auctioning leaks to profit from failed ransom negotiations, a product they stole from the famed REvil ransomware organization.

According to the FBI dossier, AvosLocker was seen using the Cobalt Strike pen-testing kit, encoded PowerShell, the PuTTY Secure Copy client tool “pscp.exe,” Rclone, AnyDesk, Scanner, Advanced IP Scanner, and WinLister.

The organization also uses the CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 Proxy Shell bugs from July, as well as the CVE-2021-26855 Microsoft Exchange Server bug from last year. However, the FBI points out that how attackers break into a target’s network is dependent on the AvosLocker affiliate performing the attack.

The FBI’s advisory is part of the US government’s efforts, led by the Department of Homeland Security’s US Cybersecurity and Infrastructure Security Agency (CISA), to urge all organizations to patch everything and strengthen cybersecurity amid fears that Russian state-sponsored hackers will target US organizations with destructive malware as a result of Western sanctions over Russia’s invasion of Ukraine.