In a recently released cybersecurity advisory, the FBI revealed that Avoslocker, the Ransomware-as-a-Service group that surfaced in mid-2021, was responsible for targeting US-based critical infrastructure across multiple sectors. The statement was jointly authored by the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).
The press release also shed light on the modus operandi of the RaaS group, stating that:
AvosLocker ransomware encrypts files on a victim’s server and renames them with the “.avos” extension. AvosLocker actors then place ransom notes on the victim server and include a link to an AvosLocker .onion payment site. Depending upon the affiliate, payments in Monero are preferred; however, they accept Bitcoin for a 10-25% premium. We have also observed alleged AvosLocker representatives make phone calls to the victims to direct them to the payment site to negotiate. Multiple victims have also reported that AvosLocker negotiators have been willing to negotiate reduced ransom payments.
Moreover, the statement also included a indicators of compromise (IOC) that succeed a possible Avoslocker attack and the mitigation strategies that must be implemented to prevent its unauthorized entry to a network.
The AvosLocker leak site claims to have targeted victims in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
Avoslocker broke into the threat landscape on December 2021, as Bleeping Computer reported that the ransomware aims to disable endpoint security solutions by booting up the compromised devices in Windows safe mode, as security functions become dormant by default during that process.