Skip to content
Ransomware group

AvosLocker

AvosLocker is a ransomware family and Ransomware-as-a-Service (RaaS) operation associated with double-extortion activity.

Profile source: Mallory opens in a new tab

AvosLocker

Family profile

AvosLocker is a ransomware family and Ransomware-as-a-Service (RaaS) operation associated with double-extortion activity. The provided content states it emerged in June 2021 and has targeted entities in the United States, Canada, the United Kingdom, and Spain, with a focus on critical infrastructure. Reported initial access vectors include spear-phishing, exploitation of public-facing applications, and compromised RDP credentials. The malware is described as establishing persistence with custom webshells, escalating privileges via credential dumping, and exfiltrating data before encryption. AvosLocker encrypts files and network resources using AES-256 and appends .avos, .avos2, or .AvosLinux extensions; the content also notes systems may be rebooted into Safe Mode with Networking before encryption and that its Linux variant has terminated ESXi virtual machines. Additional observed behaviors include enumerating shared drives on compromised networks, checking system time before and after encryption, hiding its console window via the ShowWindow API, and using obfuscated API calls resolved by checksums. The content further notes defense-evasion and masquerading behaviors, including being disguised as a .jpg file and, in one incident, being disguised using the victim company name as the filename. It is also referenced as a RaaS program advertised on the RAMP cybercrime forum.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • LaZagne
  • Mimikatz
  • XenArmor

Defense Evasion

  • Avast Anti-Rootkit driver

Discovery Enum

  • NirSoft WinLister
  • Nmap
  • SoftPerfect NetScan

Exfiltration

  • FileZilla
  • Gofile[.]io
  • PSCP
  • RClone
  • share[.]riseup[.]net

LOLBAS

  • PsExec
  • WMIC

Networking

  • Chisel
  • Ligolo

Offsec

  • Cobalt Strike
  • Sliver

RMM Tools

  • AnyDesk
  • Atera
  • PDQ Deploy
  • Splashtop
  • TacticalRMM

MITRE ATT&CK

AvosLocker in ATT&CK

21 distinct techniques

Reporting

Research mentioning AvosLocker

Apr 17
Comparitech

Inside RAMP: What a leaked database reveals about Russia's ransomware marketplace - Comparitech

We identified 14 distinct RaaS programs: AvosLocker (Nov 2021) ... The AvosLocker listing is particularly significant: a known ransomware operation directly posting buying requests on the same forum where it advertised its RaaS program.

Jan 17
The Hacker News

Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty...

Oct 31
Bleeping Computer

Ukrainian extradited from Ireland on Conti ransomware charges

...infiltrated or taken over other ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, Hello Kitty, Hive, AvosLocker, Quantum, BlackByte, Karakurt...

May 30
Bleeping Computer

Germany doxxes Conti ransomware and TrickBot ring leader

The leaks ultimately expedited Conti's shutdown, with the cybercrime members moving to other operations or starting new gangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON.

Nov 13
Picus Security

October 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

CISA highlighted the persistent threat of AvosLocker ransomware, a Ransomware-as-a-Service operation known for its double extortion tactics. Since its emergence in June 2021...

May 11
Bleeping Computer

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.

Oct 26
Coveware

Uber Verdict Raises New Risks for Ransom Payments

Most Commonly Observed Ransomware Variants in Q3 2022 ... 5 AvosLocker 3%

Feb 21
Tidal Cyber

Tidal Cyber - TTPs used by BlackByte Ransomware Targeting Critical Infrastructure

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space ... which may lead to bypassing anti-tampering features. [avoslocker_ransomware]

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.