AvosLocker Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs August 22, 2022 Ransomware

AvosLocker launched both its ransomware operations and its Ransomware as a Service program in July 2021, and it has steadily built a reputation among affiliates for reliability and reach. The group maintains multiple ransomware variants that can impact Windows, Linux, and VMware ESXi environments, which allows operators to disrupt mixed enterprise infrastructures and virtualized workloads. AvosLocker follows a double extortion playbook that combines data theft with encryption to increase leverage during negotiations, and it regularly refreshes its toolkit with new tactics, techniques, and procedures to improve persistence, lateral movement, and data exfiltration.

Recent campaigns show AvosLocker actors prioritizing internet facing and virtualization technologies for initial access. Investigations have documented intrusions that begin with the exploitation of vulnerable VMware Horizon Unified Access Gateway appliances affected by Log4Shell, followed by discovery, privilege escalation, and movement across the network using common administrative tools and living off the land techniques. Backups and shadow copies are often deleted to impede recovery, while sensitive files are staged and exfiltrated before encryption to support pressure on leak sites. Organizations can reduce risk by rapidly patching Horizon components, enforcing multifactor authentication for remote and privileged access, segmenting critical systems, monitoring for unusual data movement, and continuously validating detection and response controls against real attacker behavior.

Metadata

Associated Groups	Aliases - Avos
Associated Country	-
First Seen	July 2021
Target Sectors	Education, Energy, Financial Services, Food and Beverage, Government, Healthcare, Manufacturing, Media, Telecommunications, Transportation, Technology
Target Countries	United States, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Columbia, Germany, India, Israel, Italy, Philippines, Saudi Arabia, Spain, Syria, Taiwan, Turkey, United Arab Emirates, United Kingdom

Modus Operandi

Business Models	Ransomware-as-a-service (RaaS) Triple Extortion
Extortion Tactics	File Encryption Data Leakage Threaten to Sell Stolen Information
Initial Access Methods	Exploit Public-Facing Application External Remote Services Valid Accounts (Stolen Credentials
Impact Methods	Data Encryption Data Exfiltration

Exploited Applications and Vulnerabilities by AvosLocker

Application	Vulnerability	CVE	CVSS
Microsoft Exchange	Remote Code Execution	CVE-2021-31206	8.0 High
Microsoft Exchange	ProxyShell Security Feature Bypass	CVE-2021-31207	7.2 High
Microsoft Exchange	ProxyShell RCE	CVE-2021-34473	9.8 Critical
Microsoft Exchange	ProxyShell Privilege Escalation	CVE-2021-34523	9.8 Critical
Microsoft Exchange	Remote Code Execution	CVE-2021-26855	9.8 Critical
Zoho ManageEngine ServiceDesk Plus	Authentication Bypass	CVE-2021-40539	9.8 Critical
Apache Log4j	Remote Code Execution	CVE-2021-44228	10 Critical
Apache Log4j	Remote Code Execution	CVE-2021-45046	9 Critical
Apache Log4j	Denial of Service	CVE-2021-45105	5.9 Medium
Apache Log4j	Remote Code Execution	CVE-2021-44832	6.6 Medium
Atlassian Confluence Server and Data Center	Remote Code Execution	CVE-2022-26134	9.8 Critical

Utilized Tools and Malware by AvosLocker

MITRE ATT&CK Tactic	Tools
Execution	Cobalt Strike Sliver
Defence Evasion	Avast Anti-Rootkit Scanner aswArPot.sys
Credential Access	Mimikatz XenArmor Password Recovery Pro Tool
Discovery	WinLister Advanced IP Scanner Nmap
Lateral Movement	PDQ Deploy AnyDesk
Command and Control	AnyDesk Pscp.exe
Exflitration	Rclone
Impact	AvosLocker ransomware

[1] K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).
[2] “GitHub - BishopFox/sliver: Adversary Emulation Framework,” GitHub. [Online]. Available: https://github.com/BishopFox/sliver. [Accessed: Jul. 21, 2022]
[3] Free Rootkit Scanner & Remover,” Free Rootkit Scanner & Remover. [Online]. Available: https://www.avast.com/c-rootkit-scanner-tool. [Accessed: Jul. 07, 2022]
[4] “AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell,” Trend Micro, May 02, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html. [Accessed: Jul. 21, 2022]
[5] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
[6] “XenArmor All-In-One Password Recovery Pro 2021 Software,” XenArmor |, Jan. 30, 2019. [Online]. Available: https://xenarmor.com/allinone-password-recovery-pro-software/. [Accessed: Jul. 07, 2022]
[7] “WinLister v1.22 - display the list of opened windows on your system.” [Online]. Available: https://www.nirsoft.net/utils/winlister.html. [Accessed: Jul. 07, 2022]
[8] “Advanced IP Scanner - Download Free Network Scanner.” [Online]. Available: https://www.advanced-ip-scanner.com. [Accessed: Jul. 07, 2022]
[9] “Nmap: the Network Mapper - Free Security Scanner.” [Online]. Available: https://nmap.org/. [Accessed: Jul. 07, 2022]
[10] “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).
[11] “PSCP.” [Online]. Available: http://xray.rutgers.edu/~matilsky/documents/pscp.htm. [Accessed: Jul. 07, 2022]
[12] N. Craig-Wood, “Rclone.” https://rclone.org/ (accessed Jul. 06, 2022).
[13] F. Fkie, “AvosLocker (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker. [Accessed: Jul. 07, 2022]

AvosLocker Ransomware Group

Share this article:

Share this article:

Table of Contents

Get the Latest InsightsDelivered Straight to Your Inbox

Get the Latest Insights
Delivered Straight to Your Inbox