Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Avos Locker (Ransomware) – Threat Actor

February 16, 2025
Reading Time: 4 mins read
in Ransomware Group, Threat Actors
Avos Locker (Ransomware) – Threat Actor

Avos Locker

Date of Initial Activity

2021

Location

Unknown

Suspected Attribution 

Ransomware Group

Targeted Countries

United States

China

India

Taiwan

Spain

Botswana

Indonesia

United Kingdom

Canada

Motivation

Financial Gain
Extortion

Software

Windows
Linux

Overview

AvosLocker is a sophisticated and highly effective ransomware threat actor that emerged in mid-2021, gaining significant notoriety for its use of double extortion tactics. This ransomware-as-a-service (RaaS) group operates through a unique model in which affiliates execute attacks using the AvosLocker ransomware, which encrypts victim files and threatens to release stolen sensitive data unless a ransom is paid. What sets AvosLocker apart from many other ransomware groups is its consistent targeting of critical sectors such as education, manufacturing, and healthcare, which made it particularly disruptive to these industries. Their attacks are often tailored to each victim, utilizing specific techniques to breach systems, encrypt files, and exfiltrate data. This focus on both encryption and data leakage has become a hallmark of their operations, increasing the pressure on victims to pay the ransom. Initially, AvosLocker concentrated its efforts on Windows-based systems, but it quickly evolved, expanding to Linux environments and targeting VMware ESXi servers. This adaptability allowed the group to scale its operations and affect a broader range of victims. The group’s tactics, techniques, and procedures (TTPs) include exploiting well-known vulnerabilities such as ProxyShell in Microsoft Exchange servers, compromised RDP and VPN credentials, and flaws in third-party software like Zoho ManageEngine ServiceDesk Plus. These vulnerabilities were used to gain initial access to victims’ networks, which were then followed by ransomware deployment and the theft of sensitive data.

Common targets

  • Individuals
  • Eduactional Services
  • Manufacturing
  • Health Care and Social Assistance
  • Retail Trade
  • Transportation and Warehousing
  • Information
  • United States
  • China
  • India
  • Taiwan
  • Spain
  • Botswana
  • Indonesia
  • United Kingdom
  • Canada

Attack Vectors

Phishing

How they operate

Upon infiltration, AvosLocker uses a combination of processes to maximize the impact of its attacks. The ransomware is often deployed in Windows Safe Mode, allowing it to bypass running applications and security software, such as antivirus programs, which might otherwise interfere with encryption. The threat actor also takes advantage of specific command line arguments to customize the ransomware’s execution based on the targeted environment. This customization includes the use of mutexes to ensure that only one instance of the ransomware runs at a time, and the selective disabling of networking and other critical functionalities to avoid detection. AvosLocker then targets specific files and processes for termination, ensuring that its encryption process runs uninterrupted, and deletes any potential recovery mechanisms, such as shadow copies, to prevent victims from recovering their data. The encryption process itself is another critical component of AvosLocker’s technical operation. Once executed, the ransomware scans the infected system and enumerates all drives, including fixed, removable, and network shares. AvosLocker selectively encrypts files based on their extensions, while deliberately excluding certain file types and system files to avoid system instability or detection. Using a combination of AES encryption in CBC mode and RSA encryption to secure the AES key, AvosLocker encrypts the victim’s data while ensuring that the encryption process cannot be easily reversed. This hybrid approach provides an additional layer of security for the threat actor, as it makes the decryption process much more difficult without access to the private RSA key embedded within the ransomware’s binary. Finally, once the encryption is complete, AvosLocker drops a ransom note on the victim’s system, demanding payment in exchange for the decryption key. The ransomware group also runs a data leak site where they upload stolen proprietary data, further pressuring the victim to comply with the ransom demand to avoid public exposure of their sensitive information. These technical methods, combined with AvosLocker’s ability to adapt to different environments and continuously evolve its attack strategies, make it a highly effective and persistent threat actor in the cybersecurity landscape.  
References:
  • #StopRansomware: AvosLocker Ransomware (Update)
  • A Retrospective on AvosLocker
Tags: Avos LockerAvosLockerBotswanaCanadaChinaIndiaIndonesiaMicrosoftProxyShellRaaSRansomwareSpainTaiwanThreat ActorsUnited KingdomUnited StatesVmwareVPNVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New Linux Flaws Allow Easy Root Access

Google Fixes GerriScary Supply Chain Flaw

Langflow Flaw Delivers Flodrix DDoS Botnet

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

Subscribe to our newsletter

    Latest Incidents

    Scania Insurance Data Stolen In Partner Hack

    Pro Israel Group Claims $81M Nobitex Hack

    Hacker Sells Data Of 1M Cock.li Users

    Zoomcar Data Breach Hits 8.4 Million Users

    Qilin Gang Leaks Asefa FC Barcelona Data

    Gunra Claims 45TB Hack On Colombia Justice

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial