In recent years, the rise of ransomware attacks has wreaked havoc across industries worldwide. Among the many ransomware gangs operating today, the AvosLocker gang has emerged as a formidable threat, particularly targeting critical infrastructure sectors in the United States. This article delves into the tactics employed by AvosLocker, its techniques for evasion and attribution challenges, as well as the recommendations put forth by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Additionally, we explore the surge in ransomware attacks experienced in 2023, the main entry points leveraged by threat actors, the lowered barrier to entry for criminals, and the impact of such attacks on small organizations.
Emergence and Techniques of AvosLocker Ransomware
AvosLocker first appeared on the scene in mid-2021, targeting a myriad of industries and organizations. What sets AvosLocker apart is its utilization of sophisticated techniques to disable antivirus protection and successfully evade detection. This ransomware strain has proven to be a formidable adversary, consistently staying one step ahead of security measures.
Living-off-the-Land Tactics and Attribution Challenges
A hallmark of AvosLocker attacks is the strategic use of open-source tools and living-off-the-land (LotL) tactics. By leveraging legitimate software and open-source remote system administration tools, AvosLocker affiliates manage to infiltrate organizations’ networks without raising any alarms. This leaves little to no trace that could lead to the attribution of attacks, making it challenging for security experts to trace back the origin of the ransomware.
Recommendations by CISA and FBI
To combat the growing threat posed by AvosLocker and similar ransomware strains, CISA and the FBI have issued crucial recommendations to critical infrastructure organizations. These organizations are urged to implement necessary mitigations to reduce the likelihood and impact of AvosLocker ransomware attacks. It is crucial for businesses to remain vigilant and proactive in implementing enhanced cybersecurity measures.
Surge in Ransomware Attacks in 2023
Ransomware attacks have reached unprecedented levels in 2023, causing significant disruptions and financial losses across various sectors. One alarming trend is the speed at which threat actors deploy ransomware after gaining initial access. More than 50% of incidents observed ransomware being deployed within one day of the initial breach. It is imperative for organizations to fortify their defenses and build resilience against such swift attacks.
Initial Access Vectors for Ransomware Attacks
Threat actors have multiple entry points to exploit when launching ransomware attacks. Exploitation of public-facing applications, stolen credentials, and the use of off-the-shelf malware are the three largest initial access vectors. Additionally, external remote services have emerged as a vulnerable point of entry. Organizations must strengthen their security posture by plugging these gaps and implementing strict access controls.
The lowered barrier to entry and lucrative nature of ransomware
The Ransomware-as-a-Service (RaaS) model has become increasingly prevalent, allowing even novice criminals to launch ransomware attacks. The readily availability of leaked ransomware code further lowers the barrier to entry into this illicit world. The potential for immense financial gains continues to attract individuals to engage in ransomware attacks, posing a significant challenge for law enforcement agencies and organizations alike.
Impact on small organizations
Contrary to popular belief, ransomware attacks do not solely target large corporations. Microsoft’s annual Digital Defense Report revealed that 70% of organizations falling victim to human-operated ransomware had fewer than 500 employees. Small businesses are particularly vulnerable due to inadequate cybersecurity measures and limited resources. The impact of ransomware attacks on small organizations can be devastating, leading to operational disruptions and financial strain.
Increase in Remote Encryption During Ransomware Attacks
Microsoft’s investigation into ransomware attacks revealed a troubling trend: a sharp increase in the use of remote encryption during human-operated ransomware attacks. This method allows threat actors to encrypt files remotely, potentially crippling organizations’ operations without ever setting foot on their premises. Over the past year, remote encryption has accounted for approximately 60% of attacks. This highlights the evolving tactics employed by ransomware operators and the need for organizations to adopt multi-layered security defenses.
The AvosLocker ransomware gang poses a significant threat to critical infrastructure sectors in the United States. Their sophisticated techniques, reliance on open-source tools, and living-off-the-land tactics make them difficult to attribute and mitigate. To combat this rising menace, organizations must heed the recommendations put forth by CISA and the FBI, implement robust cybersecurity measures, and remain vigilant against evolving tactics. By fortifying defenses and investing in proactive security measures, businesses can better defend against ransomware attacks, safeguard their critical infrastructure, and protect their valuable assets from falling into the hands of malicious actors.