StopRansomware AvosLocker Ransomware Update CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI and the Cybersecurity and Infrastructure Security Agency CISA are releasing this joint Cybersecurity Advisory CSA to disseminate known IOCs TTPs and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023 AvosLocker operates under a ransomwareasaservice RaaS model AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States affecting Windows Linux and VMware ESXi environments AvosLocker affiliates compromise organizations networks by using legitimate software and opensource remote system administration tools AvosLocker affiliates then use exfiltrationbased data extortion tactics with threats of leaking andor publishing stolen datappThis joint CSA updates the March 17 2022 AvosLocker ransomware joint CSA Indicators of Compromise Associated with AvosLocker ransomware released by FBI and the Department of the Treasurys Financial Crimes Enforcement Network FinCEN This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromiseppFBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidentsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 13 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppAvosLocker affiliates use legitimate software and opensource tools during ransomware operations which include exfiltrationbased data extortion Specifically affiliates useppFBI has also observed AvosLocker affiliatesppFor additional TTPs see joint CSA Indicators of Compromise Associated with AvosLocker RansomwareppSee Tables 1 and 2 below for IOCs obtained from January 2023May 2023ppFiles and ToolsppMD5pppsscriptpolicytestim2hdxqig0kps1pp829f2233a1cd77e9ec7de98596cd8165pppsscriptpolicytestlysyd03no10ps1pp6ebd7d7473f0ace3f52c483389cab93fpppsscriptpolicytest1bokrh3l2nwps1pp10ef090d2f4c8001faadb0a833d60089pppsscriptpolicytestnvuxllhdfs4ps1pp8227af68552198a2d42de51cded2ce60pppsscriptpolicytest2by2p21u4ejps1pp9d0b3796d1d174080cdfdbd4064bea3apppsscriptpolicytestte5sbsfvnewps1ppaf31b5a572b3208f81dbf42f6c143f99pppsscriptpolicytestv3etgbxwbmmps1pp1892bd45671f17e9f7f63d3ed15e348epppsscriptpolicytestfqa24ixqdtcps1ppcc68eaf36cb90c08308ad0ca3abc17c1pppsscriptpolicytestjzjombgnsolps1pp646dc0b7335cffb671ae3dfd1ebefe47pppsscriptpolicytestrdm5qyy1phgps1pp609a925fd253e82c80262bad31637f19pppsscriptpolicytestendvm2zzqlpps1ppc6a667619fff6cf44f447868d8edd681pppsscriptpolicytests1mgcgdk25nps1pp3222c60b10e5a7c3158fd1cb3f513640pppsscriptpolicytestxnjvzu5oftaps1pp90ce10d9aca909a8d2524bc265ef2fa4pppsscriptpolicytestsatzbifjolips1pp44a3561fb9e877a2841de36a3698abc0pppsscriptpolicytestgrjck50vnygps1pp5cb3f10db11e1795c49ec6273c52b5f1pppsscriptpolicytest0bybivfex1tps1pp122ea6581a36f14ab5ab65475370107epppsscriptpolicytestbzoicrnskatps1ppc82d7be7afdc9f3a0e474f019fb7b0f7ppFiles and ToolsppSHA256ppBEACONPS1ppe68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0fppEncoded PowerShell scriptppad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d63db7 ppEncoded PowerShell scriptpp48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e5e731 ppFiles and ToolsppSHA1ppPowerShell backdoorpp2d1ce0231cf8ff967c36bbfc931f3807ddba765cppEmail Addressppkeishagrey994outlookcomppVirtual Currency Walletsppa6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845eeppbfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92pp418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944ddppbc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfnppBased on an investigation by an advanced digital forensics group FBI created the following YARA rule to detect the signature for a file identified as enabling malware NetMonitorexe is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool This persistence tool sends pings from the network every five minutes The NetMonitor executable is configured to use an IP address as its command server and the program communicates with the server over port 443 During the attack traffic between NetMonitor and the command server is encrypted where NetMonitor functions like a reverse proxy and allows actors to connect to the tool from outside the victims networkppSee Tables 37 for all referenced threat actor tactics and techniques in this advisoryppInitial Access ppTechnique TitleppIDppUseppExternal Remote ServicesppT1133ppAvosLocker affiliates use remote system administration toolsSplashtop Streamer Tactical RMM PuTTy AnyDesk PDQ Deploy and Atera Agentto access backdoor access vectorsppTechnique TitleppIDppUseppCommand and Scripting Interpreter PowerShellppT1059001ppAvosLocker affiliates use custom PowerShell scripts to enable privilege escalation lateral movement and to disable antivirusppCommand and Scripting Interpreter Windows Command ShellppT1059003ppAvosLocker affiliates use custom bat scripts to enable privilege escalation lateral movement and to disable antivirus ppWindows Management InstrumentationppT1047ppAvosLocker affiliates use legitimate Windows tools such as PsExec and Nltest in their executionppPersistenceppTechnique TitleppIDppUseppServer Software ComponentppT1505003ppAvosLocker affiliates have uploaded and used custom webshells to enable network accessppCredential AccessppTechnique TitleppIDppUseppCredentials from Password StoresppT1555ppAvosLocker affiliates use opensource applications Lazagne and Mimikatz to steal credentials from system storesppCommand and Control ppTechnique TitleppIDppUseppProtocol TunnelingppT1572ppAvosLocker affiliates use open source networking tunneling tools like Ligolo and ChiselppThese mitigations apply to all critical infrastructure organizations and network defenders The FBI and CISA recommend that software manufactures incorporate securebydesign and default principles and tactics into their software development practices to limit the impact of ransomware techniques such as threat actors leveraging backdoor vulnerabilities into remote software systems thus strengthening the secure posture for their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppFBI and CISA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise by AvosLocker ransomware These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppConfigure the Windows Registry to require User Account Control UAC approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExecppIn addition FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actorsppIn addition to applying mitigations FBI and CISA recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppFBI and CISA recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with AvosLocker affiliates Bitcoin wallet information decryptor files andor a benign sample of an encrypted file The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center IC3 at ic3gov local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center at reportcisagov or 888 2820870ppThe information in this report is being provided as is for informational purposes only CISA and FBI do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and FBIpp1 GitHub sysdream ligolo repository
2 GitHub jpillora chisel repository
3 GitHub BishopFox sliver repositoryppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI and the Cybersecurity and Infrastructure Security Agency CISA are releasing this joint Cybersecurity Advisory CSA to disseminate known IOCs TTPs and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023 AvosLocker operates under a ransomwareasaservice RaaS model AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States affecting Windows Linux and VMware ESXi environments AvosLocker affiliates compromise organizations networks by using legitimate software and opensource remote system administration tools AvosLocker affiliates then use exfiltrationbased data extortion tactics with threats of leaking andor publishing stolen datappThis joint CSA updates the March 17 2022 AvosLocker ransomware joint CSA Indicators of Compromise Associated with AvosLocker ransomware released by FBI and the Department of the Treasurys Financial Crimes Enforcement Network FinCEN This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromiseppFBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidentsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 13 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppAvosLocker affiliates use legitimate software and opensource tools during ransomware operations which include exfiltrationbased data extortion Specifically affiliates useppFBI has also observed AvosLocker affiliatesppFor additional TTPs see joint CSA Indicators of Compromise Associated with AvosLocker RansomwareppSee Tables 1 and 2 below for IOCs obtained from January 2023May 2023ppFiles and ToolsppMD5pppsscriptpolicytestim2hdxqig0kps1pp829f2233a1cd77e9ec7de98596cd8165pppsscriptpolicytestlysyd03no10ps1pp6ebd7d7473f0ace3f52c483389cab93fpppsscriptpolicytest1bokrh3l2nwps1pp10ef090d2f4c8001faadb0a833d60089pppsscriptpolicytestnvuxllhdfs4ps1pp8227af68552198a2d42de51cded2ce60pppsscriptpolicytest2by2p21u4ejps1pp9d0b3796d1d174080cdfdbd4064bea3apppsscriptpolicytestte5sbsfvnewps1ppaf31b5a572b3208f81dbf42f6c143f99pppsscriptpolicytestv3etgbxwbmmps1pp1892bd45671f17e9f7f63d3ed15e348epppsscriptpolicytestfqa24ixqdtcps1ppcc68eaf36cb90c08308ad0ca3abc17c1pppsscriptpolicytestjzjombgnsolps1pp646dc0b7335cffb671ae3dfd1ebefe47pppsscriptpolicytestrdm5qyy1phgps1pp609a925fd253e82c80262bad31637f19pppsscriptpolicytestendvm2zzqlpps1ppc6a667619fff6cf44f447868d8edd681pppsscriptpolicytests1mgcgdk25nps1pp3222c60b10e5a7c3158fd1cb3f513640pppsscriptpolicytestxnjvzu5oftaps1pp90ce10d9aca909a8d2524bc265ef2fa4pppsscriptpolicytestsatzbifjolips1pp44a3561fb9e877a2841de36a3698abc0pppsscriptpolicytestgrjck50vnygps1pp5cb3f10db11e1795c49ec6273c52b5f1pppsscriptpolicytest0bybivfex1tps1pp122ea6581a36f14ab5ab65475370107epppsscriptpolicytestbzoicrnskatps1ppc82d7be7afdc9f3a0e474f019fb7b0f7ppFiles and ToolsppSHA256ppBEACONPS1ppe68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0fppEncoded PowerShell scriptppad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d63db7 ppEncoded PowerShell scriptpp48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e5e731 ppFiles and ToolsppSHA1ppPowerShell backdoorpp2d1ce0231cf8ff967c36bbfc931f3807ddba765cppEmail Addressppkeishagrey994outlookcomppVirtual Currency Walletsppa6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845eeppbfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92pp418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944ddppbc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfnppBased on an investigation by an advanced digital forensics group FBI created the following YARA rule to detect the signature for a file identified as enabling malware NetMonitorexe is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool This persistence tool sends pings from the network every five minutes The NetMonitor executable is configured to use an IP address as its command server and the program communicates with the server over port 443 During the attack traffic between NetMonitor and the command server is encrypted where NetMonitor functions like a reverse proxy and allows actors to connect to the tool from outside the victims networkppSee Tables 37 for all referenced threat actor tactics and techniques in this advisoryppInitial Access ppTechnique TitleppIDppUseppExternal Remote ServicesppT1133ppAvosLocker affiliates use remote system administration toolsSplashtop Streamer Tactical RMM PuTTy AnyDesk PDQ Deploy and Atera Agentto access backdoor access vectorsppTechnique TitleppIDppUseppCommand and Scripting Interpreter PowerShellppT1059001ppAvosLocker affiliates use custom PowerShell scripts to enable privilege escalation lateral movement and to disable antivirusppCommand and Scripting Interpreter Windows Command ShellppT1059003ppAvosLocker affiliates use custom bat scripts to enable privilege escalation lateral movement and to disable antivirus ppWindows Management InstrumentationppT1047ppAvosLocker affiliates use legitimate Windows tools such as PsExec and Nltest in their executionppPersistenceppTechnique TitleppIDppUseppServer Software ComponentppT1505003ppAvosLocker affiliates have uploaded and used custom webshells to enable network accessppCredential AccessppTechnique TitleppIDppUseppCredentials from Password StoresppT1555ppAvosLocker affiliates use opensource applications Lazagne and Mimikatz to steal credentials from system storesppCommand and Control ppTechnique TitleppIDppUseppProtocol TunnelingppT1572ppAvosLocker affiliates use open source networking tunneling tools like Ligolo and ChiselppThese mitigations apply to all critical infrastructure organizations and network defenders The FBI and CISA recommend that software manufactures incorporate securebydesign and default principles and tactics into their software development practices to limit the impact of ransomware techniques such as threat actors leveraging backdoor vulnerabilities into remote software systems thus strengthening the secure posture for their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppFBI and CISA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise by AvosLocker ransomware These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppConfigure the Windows Registry to require User Account Control UAC approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExecppIn addition FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actorsppIn addition to applying mitigations FBI and CISA recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppFBI and CISA recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe FBI is seeking any information that can be shared to include boundary logs showing communication to and from foreign IP addresses a sample ransom note communications with AvosLocker affiliates Bitcoin wallet information decryptor files andor a benign sample of an encrypted file The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center IC3 at ic3gov local FBI Field Office or CISA via the agencys Incident Reporting System or its 247 Operations Center at reportcisagov or 888 2820870ppThe information in this report is being provided as is for informational purposes only CISA and FBI do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and FBIpp1 GitHub sysdream ligolo repository
2 GitHub jpillora chisel repository
3 GitHub BishopFox sliver repositoryppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
