The Federal Bureau of Investigation (FBI) and the Treasury Department have warned organizations, particularly critical infrastructure, about targeted attacks by ransomware as a service (RaaS) affiliate group AvosLocker.


AvosLocker has targeted a number of victims across multiple critical infrastructure sectors in the United States, including financial services, critical manufacturing and government facilities sectors. The public leak site also lists victims of AvosLocker organizations across the world, including the U.K., Germany, Spain, Belgium, Turkey, the United Arab Emirates, Canada, Syria, Saudi Arabia, China and Taiwan.


The RaaS group claims to handle ransom negotiations, publishing and hosting of exfiltrated victim data after their affiliates infect targets. If a victim does not pay the ransom, AvosLocker leaks samples of stolen victim data on their site and threatens to sell the data to unspecified third parties.


In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.


According to the cybersecurity advisory, multiple victims have reported on-premise Microsoft Exchange Server security vulnerabilities as the likely intrusion vector, including the Proxy Shell vulnerabilities (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, and CVE-2021-26855).


To mitigate this cybersecurity threat, organizations should:

  • Implement a data recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physical, separate, segmented and secure location, such as a hard drive, storage device, or the cloud.
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
  • Regularly back up data, password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication where possible.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection. Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams)


The FBI also recommends organizations take advantage of the Cybersecurity and Infrastructure Security Agency’s Ransomware Readiness Assessment — a no-cost self-assessment based on a tired set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.


For more AvosLocker indicators of compromise, please visit ic3.gov.