Research

Avoslocker Ransomware Group Targets U.S University

Executive Summary

  • On May 1, the Avoslocker ransomware group claimed responsibility for an attack against a small U.S. university.
  • Shortly after news of the incident surfaced, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted internal and external sources to collect and analyze intelligence about the attack.
  • These sources yielded findings that enabled STRIKE Team researchers to develop a hypothesis regarding attackers’ initial access to university systems.
    • Publicly available files suggested recent phishing attempts against the university. SecurityScorecard’s ratings platform revealed that the affected university had exposed services that ransomware groups often target on its network, and traffic data suggested that these services experienced suspicious activity in the weeks preceding the attackers’ claim.
  • These findings are largely consistent with the Avoslocker group’s established tactics, techniques, and procedures (TTPs).

Background

On May 1, the AvosLocker ransomware group claimed responsibility for an attack against a small U.S. university. While the news of a ransomware attack against the higher education sector is unfortunately quite familiar, this incident attracted particular attention because attackers used the university’s emergency notification system to distribute messages notifying students of the attack and advising them to pressure university administrators to meet the group’s ransom demands on the grounds that it was their personal information that the group would leak should negotiations fail.

The AvosLocker group first appeared in July 2021 and is, like many of its contemporaries, a ransomware-as-a-service (RaaS) operation that employs “double extortion,” not only encrypting devices on victim networks but also exfiltrating sensitive data and threatening to release it if the victim organization does not pay a ransom. In addition to threatening to publish stolen data, the group has also developed a reputation for leveraging additional extortion techniques such as contacting victim organizations by telephone or threatening to auction (rather than leak) stolen data.

Reports have highlighted the group’s particular use of the remote access tool AnyDesk for command and control (C2), but note that it can also use other remote access tools in other stages of attacks; AvosLocker affiliates have, in some cases, acquired initial access to target organizations by authenticating to RDP or VPN services with compromised credentials, for example.

Methodology

Researchers leveraged SecurityScorecard’s exclusive access to network flow (NetFlow) data to collect a sample of traffic involving IP addresses attributed to the affected university. They first consulted SecurityScorecard’s ratings platform to identify the IP addresses where SecurityScorecard has observed issues, these addresses being the most likely to attract attackers’ attention due to the observed issues. They then collected a two-month (March 3-May 3) sample of traffic involving these IP addresses and analyzed the results further.

SecurityScorecard’s ratings platform observes several services, including some that ransomware groups often target, exposed on the victim university’s network. STRIKE Team researchers prioritized these services when analyzing the traffic data. They first limited the resulting traffic sample for communications involving those services. Then they searched the resulting IP addresses in SecurityScorecard’s Attack Surface Intelligence module and public cybersecurity information-sharing program VirusTotal to identify those previously linked to malicious behavior.

Next, because the attackers claimed to have stolen a large amount of sensitive data, researchers sought to identify possible exfiltration by identifying the largest data transfers in the traffic sample (those with byte counts of 10 MB or more), as large data transfers are the most likely to reflect exfiltration. Researchers further narrowed these results, first by filtering them by country code to identify IP addresses located outside of the U.S. and then by searching them in VirusTotal, as IP addresses either located outside of the U.S. or previously linked to malicious activity are more likely to have been involved in exfiltration.

Finally, to identify files that may reflect malicious activity targeting the university, the STRIKE Team searched VirusTotal for recent submissions containing its domain.

Findings

SecurityScorecard observed remote desktop protocol (RDP), virtual network computing (VNC), and other remote access services, which are often responsible for ransomware compromises, exposed on the target institution’s network. To access these services, attackers usually exploit an unpatched vulnerability or authenticate to them using credentials previously leaked or stolen from the target organization. Once an adversary achieves remote access to an internal network device, they can move laterally, deploy ransomware, and exfiltrate sensitive data. In the case of this particular university, NetBIOS ports were open at six IP addresses, and VNC and RDP ports were each open at one.

The traffic sample indicated that the university’s exposed RDP and VNC services experienced suspicious activity in the weeks prior to the attackers’ claim. Port 3389 (the standard port for RDP) saw 185 flows involving sixteen unique, non-university IP addresses between March 5 and April 26. Port 5901 (the standard port for VNC) communicated once with an external IP address on March 5.

Attack Surface Intelligence has linked the IP address that contacted the VNC service, 68.235.43[.]126, to previous targeting of such services.

68.235.43.126

Image 1: The malicious reputation data regarding 68.235.43[.]126 links it to previous targeting of VNC services.

198.54.129[.]76, 198.54.129[.]84, and 198.54.129[.]78 were responsible for most of the traffic to port 3389 (160 of 185 flows, which occurred between March 31 and April 26). The vendors that contribute detections to VirusTotal have linked all three to malware or assessed them as suspicious. A public fraud risk identification platform links each of them to anonymizing virtual private networks (VPNs), which threat actors often use to disguise the actual sources of malicious traffic. This suggests that attackers used a VPN to route their traffic through these IP addresses when attempting to access the exposed RDP service.

Files uploaded to VirusTotal suggest that the university also experienced phishing in the weeks before the RDP traffic involving the three suspicious IP addresses. This could suggest that phishing earlier in March compromised Bluefield credentials that threat actors used to access RDP services. Both files are emails dated March 10 and addressed to university accounts; their contents refer to an invoice attached to the message as an HTML file. Their vendor detections mention both HTML phishing and bank fraud, which suggests that they use financial content as a lure to lead to a malicious HTML file; the file in question could have redirected targets to a credential-harvesting page or led a subsequent malicious download that attackers could have used to steal credentials. Given that emails are dated March 10, and the RDP traffic discussed above occurred from March 31 to April 26, attackers may have used credentials stolen through the phishing reflected by these files (or others like them) to access the exposed RDP services that experienced the suspicious traffic.

Researchers additionally identified 4,283 transfers of 10 MB or more. These involved 543 IP addresses located outside the U.S. and 211 IP addresses other vendors have linked to malicious activity. These IP addresses, which may be more likely to be exfiltration destinations, given their locations and ties to other malicious activity, are available in appendices below.

Conclusion

This recent incident may reflect familiar patterns of behavior by ransomware groups. Attacks against higher education institutions remain common, and phishing and RDP compromise are common features of many intrusions’ early stages. Indeed, even this attack’s most novel feature, the attackers’ use of the university’s emergency notification system to apply additional pressure to the victim organization when demanding a ransom, is, in some ways, continuous with previous incidents in which attackers contacted a college’s students, a  companies’ board members or executives’ families, or used victims’ printers to print ransom notes in their places of business.

All such techniques, and the entire concept of double extortion, speak to a tendency among ransomware groups to apply pressure from other angles in addition to the basic operational disruptions that result from the encryption of targets’ files. This may further suggest that attackers have come to regard disruptions unaccompanied by additional threats as insufficient to yield a payment.