October 13, 2023 at 07:06AM
AvosLocker ransomware gang has been linked to recent attacks on critical infrastructure sectors in the U.S.
The gang uses legitimate software and open-source remote administration tools to compromise networks and exfiltrate data.
AvosLocker leverages sophisticated techniques to avoid detection and affects Windows, Linux, and VMware environments.
The attacks rely on open-source tools, legitimate utilities, and custom scripts for lateral movement and privilege escalation.
U.S. agencies recommend implementing mitigations such as application controls, network segmentation, and offline backups to reduce the impact of AvosLocker and other ransomware incidents.
Ransomware attacks have surged, with threat actors deploying ransomware within one day of initial access in over 50% of cases.
Human-operated ransomware attacks have increased over 200% since September 2022, and encryption and exfiltration are increasingly used together.
Microsoft warns of attackers exploiting vulnerabilities in less common software and using remote encryption to minimize their footprint.
A holistic security approach is crucial to defend against evolving ransomware threats.
From the meeting notes, it is clear that the AvosLocker ransomware gang has been linked to recent attacks on critical infrastructure sectors in the U.S. The ransomware-as-a-service (RaaS) operation uses legitimate software and open-source tools to compromise organizations’ networks and exfiltrate and threaten to publish stolen data. AvosLocker employs sophisticated techniques to bypass antivirus protection and affects Windows, Linux, and VMware ESXi environments. Attribution is difficult due to the use of open-source tools and living-off-the-land tactics. The attacks utilize various tools for command-and-control, credential theft, lateral movement, privilege escalation, and disarming security software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recommend implementing mitigations such as application controls, limiting remote desktop services, restricting PowerShell use, adopting multi-factor authentication, network segmentation, regular system updates, and offline backups to reduce the likelihood and impact of AvosLocker and other ransomware incidents. Additionally, there has been a surge in ransomware attacks in 2023, with threat actors deploying ransomware more swiftly to avoid detection. Exploitation of public facing applications, stolen credentials, off-the-shelf malware, and external remote services are the primary initial access vectors for ransomware attacks. The ransomware-as-a-service model and the availability of leaked ransomware code have made ransomware attacks profitable and accessible even to novice criminals. Microsoft reports a significant increase in human-operated ransomware attacks, with smaller organizations and unmanaged devices being targeted. These attacks often involve encryption and exfiltration of data, and the use of remote encryption has become more prevalent to minimize the attackers’ footprint. A holistic security approach is necessary to combat these evolving ransomware threats.