AvosLocker launched both its ransomware operations and its Ransomware as a Service program in July 2021, and it has steadily built a reputation among affiliates for reliability and reach. The group maintains multiple ransomware variants that can impact Windows, Linux, and VMware ESXi environments, which allows operators to disrupt mixed enterprise infrastructures and virtualized workloads. AvosLocker follows a double extortion playbook that combines data theft with encryption to increase leverage during negotiations, and it regularly refreshes its toolkit with new tactics, techniques, and procedures to improve persistence, lateral movement, and data exfiltration.
Recent campaigns show AvosLocker actors prioritizing internet facing and virtualization technologies for initial access. Investigations have documented intrusions that begin with the exploitation of vulnerable VMware Horizon Unified Access Gateway appliances affected by Log4Shell, followed by discovery, privilege escalation, and movement across the network using common administrative tools and living off the land techniques. Backups and shadow copies are often deleted to impede recovery, while sensitive files are staged and exfiltrated before encryption to support pressure on leak sites. Organizations can reduce risk by rapidly patching Horizon components, enforcing multifactor authentication for remote and privileged access, segmenting critical systems, monitoring for unusual data movement, and continuously validating detection and response controls against real attacker behavior.