AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware [1]. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by AvosLocker ransomware and how organizations can defend themselves against AvosLocker ransomware attacks.

Simulate Ransomware Attacks with 14-Day Free Trial of Picus Platform

AvosLocker Ransomware

AvosLocker ransomware group emerged in June 2021. AvosLocker employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware infrastructure to other threat actors for a percentage of the ransom payments. Like many other contemporary ransomware groups, AvosLocker also employs a double-extortion tactic. The group steals the victim's sensitive data and threatens to publish it on their "leak site" if the ransom isn't paid. This tactic puts additional pressure on victims, especially those who hold sensitive or confidential data. AvosLocker is known for attacking high-profile targets and demanding significant ransoms. In the recent past, they targeted critical infrastructure in different sectors in the US, Canada, the UK, and Spain.

AvosLocker often uses common initial access techniques such as spear-phishing emails, exploiting vulnerable public-facing applications, or using compromised Remote Desktop Protocol (RDP) credentials. After initial access, adversaries upload custom webshells to establish persistence in the victim's network. Using known credential dumping tools, AvosLocker threat actors steal credentials from the compromised host and use them for lateral movement and privilege escalation. Prior to encryption, attackers exfiltrate the victim's sensitive files to an adversary-controlled command and control (C2) server. In the final step, AvosLocker reboots the infected machine in Safe Mode with Networking and encrypts the victim's sensitive files.

CISA previously released another cybersecurity on AvosLocker ransomware in March 2022. Since then, the threat actors created new AvosLocker variants and added new capabilities to their arsenal. CISA recommends organizations continuously validate their security controls against the AvosLocker ransomware variants and their evolving threat behaviors. 

AvosLocker Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts

AvosLocker ransomware operators acquire compromised credentials from Initial Access Brokers (IABs) and criminal forums/marketplaces. Using these valid accounts, adversaries gain initial access to the targets' networks via RDP or VPN.

T1566 Phishing

AvosLocker threat actors use spam email campaigns to deliver the ransomware payload to their targets. 

T1133 External Remote Services

AvosLocker group uses remote system administration tools such as AnyDesk, PuTTy, Atera Agent, Splashtop Streamer, Tactical RMM, and PDQ Deploy to gain initial access to their targets. Zoho ManageEngine CVE-2021-40539 vulnerability is known to be exploited by AvosLocker threat actors as an initial access vector.


T1059 Command and Scripting Interpreter

Adversaries use custom batch files and PowerShell scripts for privilege escalation, lateral movement, and defense evasion. The names of the used scripts are Love.bat, lock.bat, update.bat, and AVO.ps1.


Example 1: update.bat used by AvosLocker [2]

T1047 Windows Management Instrumentation

AvosLocker uses legitimate Windows tools such as PsExec and nltest to interact with Windows Management Instrumentation and execute commands.


T1505.003 Server Software Component: Web Shell

After gaining initial access, AvosLocker operators upload custom webshells to establish persistence in the compromised network.

Defense Evasion

T1562.009 Impair Defenses: Safe Mode Boot

Before deploying the ransomware payload, AvosLocker forces the infected Windows hosts into rebooting in Safe Mode. In Safe Mode, Windows does not enable many endpoint protections, and ransomware is less likely to be detected or prevented.

Credential Access

T1555 Credentials from Password Stores

AvosLocker threat actors use known public credential dumping tools such as Mimikatz and LaZange to extract credentials from password storage mechanisms.

Command and Control

T1572 Protocol Tunneling

AvosLocker uses open-source tools such as Ligolo and Chisel for secure communication between a compromised network and an adversary-controlled C2 server. By encrypting the channel and bypassing egress filtering, AvosLocker threat actors transfer malicious tools and steal sensitive data without being detected. 


T1486 Data Encrypted for Impact

AvosLocker ransomware uses a hybrid encryption methodology and combines AES-256-CBC and RSA to encrypt its victim's files. Depending on the version, encrypted files are appended with the .avos or .avos2 extension. 

T1490 Inhibit System Recovery

AvosLocker operators delete all volume shadow copies of the infected host to prevent victims from recovering their files. 

cmd /c wmic shadowcopy delete /nointeractive

cmd /c vssadmin.exe Delete Shadows /All /Quiet

How Picus Helps Simulate AvosLocker Ransomware Attacks?

We also strongly suggest simulating AvosLocker ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Snatch, Rhysida, and Akira, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for AvosLocker ransomware

Threat ID

Threat Name

Attack Module


AvosLocker Ransomware Download Threat

Network Infiltration


AvosLocker Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address AvosLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for AvosLocker ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW



Check Point NGFW



Check Point NGFW



Cisco FirePower



Cisco FirePower



Forcepoint NGFW



Fortigate AV



Fortigate AV



Fortigate AV





MALWARE: Malicious File Detected by GTI

Palo Alto


trojan/Win32 EXE.filecoder.aks

Palo Alto


trojan/Win32 EXE.hive.i

Palo Alto



Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.


[1] "#StopRansomware: AvosLocker Ransomware (Update)," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a. [Accessed: Oct. 11, 2023]

[2] A. Brandt, "Avos Locker remotely accesses boxes, even running in Safe Mode," Sophos News, Dec. 22, 2021. Available: https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/. [Accessed: Oct. 11, 2023]