Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Avos Locker (Ransomware) – Threat Actor

February 16, 2025
Reading Time: 4 mins read
in Ransomware Group, Threat Actors
Avos Locker (Ransomware) – Threat Actor

Avos Locker

Date of Initial Activity

2021

Location

Unknown

Suspected Attribution 

Ransomware Group

Targeted Countries

United States

China

India

Taiwan

Spain

Botswana

Indonesia

United Kingdom

Canada

Motivation

Financial Gain
Extortion

Software

Windows
Linux

Overview

AvosLocker is a sophisticated and highly effective ransomware threat actor that emerged in mid-2021, gaining significant notoriety for its use of double extortion tactics. This ransomware-as-a-service (RaaS) group operates through a unique model in which affiliates execute attacks using the AvosLocker ransomware, which encrypts victim files and threatens to release stolen sensitive data unless a ransom is paid. What sets AvosLocker apart from many other ransomware groups is its consistent targeting of critical sectors such as education, manufacturing, and healthcare, which made it particularly disruptive to these industries. Their attacks are often tailored to each victim, utilizing specific techniques to breach systems, encrypt files, and exfiltrate data. This focus on both encryption and data leakage has become a hallmark of their operations, increasing the pressure on victims to pay the ransom. Initially, AvosLocker concentrated its efforts on Windows-based systems, but it quickly evolved, expanding to Linux environments and targeting VMware ESXi servers. This adaptability allowed the group to scale its operations and affect a broader range of victims. The group’s tactics, techniques, and procedures (TTPs) include exploiting well-known vulnerabilities such as ProxyShell in Microsoft Exchange servers, compromised RDP and VPN credentials, and flaws in third-party software like Zoho ManageEngine ServiceDesk Plus. These vulnerabilities were used to gain initial access to victims’ networks, which were then followed by ransomware deployment and the theft of sensitive data.

Common targets

  • Individuals
  • Eduactional Services
  • Manufacturing
  • Health Care and Social Assistance
  • Retail Trade
  • Transportation and Warehousing
  • Information
  • United States
  • China
  • India
  • Taiwan
  • Spain
  • Botswana
  • Indonesia
  • United Kingdom
  • Canada

Attack Vectors

Phishing

How they operate

Upon infiltration, AvosLocker uses a combination of processes to maximize the impact of its attacks. The ransomware is often deployed in Windows Safe Mode, allowing it to bypass running applications and security software, such as antivirus programs, which might otherwise interfere with encryption. The threat actor also takes advantage of specific command line arguments to customize the ransomware’s execution based on the targeted environment. This customization includes the use of mutexes to ensure that only one instance of the ransomware runs at a time, and the selective disabling of networking and other critical functionalities to avoid detection. AvosLocker then targets specific files and processes for termination, ensuring that its encryption process runs uninterrupted, and deletes any potential recovery mechanisms, such as shadow copies, to prevent victims from recovering their data. The encryption process itself is another critical component of AvosLocker’s technical operation. Once executed, the ransomware scans the infected system and enumerates all drives, including fixed, removable, and network shares. AvosLocker selectively encrypts files based on their extensions, while deliberately excluding certain file types and system files to avoid system instability or detection. Using a combination of AES encryption in CBC mode and RSA encryption to secure the AES key, AvosLocker encrypts the victim’s data while ensuring that the encryption process cannot be easily reversed. This hybrid approach provides an additional layer of security for the threat actor, as it makes the decryption process much more difficult without access to the private RSA key embedded within the ransomware’s binary. Finally, once the encryption is complete, AvosLocker drops a ransom note on the victim’s system, demanding payment in exchange for the decryption key. The ransomware group also runs a data leak site where they upload stolen proprietary data, further pressuring the victim to comply with the ransom demand to avoid public exposure of their sensitive information. These technical methods, combined with AvosLocker’s ability to adapt to different environments and continuously evolve its attack strategies, make it a highly effective and persistent threat actor in the cybersecurity landscape.  
References:
  • #StopRansomware: AvosLocker Ransomware (Update)
  • A Retrospective on AvosLocker
Tags: Avos LockerAvosLockerBotswanaCanadaChinaIndiaIndonesiaMicrosoftProxyShellRaaSRansomwareSpainTaiwanThreat ActorsUnited KingdomUnited StatesVmwareVPNVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Fake Job Offers Hide North Korean Malware

New Malware Uses Prompts To Trick AI Tools

New Zero Day Flaw Hits Citrix NetScaler

Hackers Abuse Trezor Support For Phishing

FileFix Attack Turns Explorer Into Weapon

OneClik Malware Attacks Energy Sector Firms

Subscribe to our newsletter

    Latest Incidents

    Resupply DeFi Protocol Hacked For $9.6M

    Cyberattack Hits South Tyrol Emergency Ops

    UK’s Glasgow City Council Hit By Cyberattack

    Columbia University Probes Major IT Outage

    Mainline Health Breach Hits 101,000 Patients

    Porto Nacional City Hall Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial