{
	"id": "523f0963-d82f-40ba-a076-d6c7b4ccdd0d",
	"created_at": "2026-04-06T00:10:39.531238Z",
	"updated_at": "2026-04-10T03:24:30.272574Z",
	"deleted_at": null,
	"sha1_hash": "125ba8d51811c2584eebff754dcf2db1744b8640",
	"title": "Ransomware Spotlight: AvosLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 682931,
	"plain_text": "Ransomware Spotlight: AvosLocker\r\nArchived: 2026-04-02 11:42:01 UTC\r\nTop affected industries and countries\r\nOur telemetry shows data on AvosLocker activity or attack attempts. While we observed AvosLocker activity from all over\r\nthe world, India and Canada showed top detections from July 1, 2021 to February 28, 2022.\r\nopen on a new tab\r\nFigure 1. Countries with the highest number of attack attempts per machine for AvosLocker ransomware (July 1, 2021 to\r\nFebruary 28, 2022)\r\nSource: Trend Micro™ Smart Protection Network™\r\nBased on our detections, AvosLocker was the most active in the food and beverage sector, followed by the technology and\r\nfinance sectors. However, there is only by a slim margin given the small sample size. \r\nopen on a new tab\r\nFigure 2. Based on our detections, AvosLocker was the most active in the food and beverage sector, followed by the\r\ntechnology and finance sectors. However, there is only a slim margin given the small sample size.\r\nSource: Trend Micro Smart Protection Network\r\nAs of this writing, the highest number of AvosLocker-related detections we have seen was in the month of February, which\r\ncontinues the sudden increase observed at the start of the year.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 1 of 9\n\nopen on a new tab\r\nFigure 3. AvosLocker monthly detections per machine (July 1, 2021 to February 28, 2022)\r\nSource: Trend Micro Smart Protection Network\r\nTargeted regions and sectors according to AvosLocker leak site\r\nWe also ventured into AvosLocker’s leak site, which offered a different perspective on its targets. From December 1, 2021 to\r\nFebruary 28, 2022 we found 15 listed entities. The organizations listed in the site were successfully attacked and have not, in\r\nthat period, paid the demanded ransom.\r\nBy grouping the list according to regions, we found that AvosLocker focused its efforts on targets from North America.\r\nopen on a new tab\r\nFigure 4. Regional distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28,\r\n2022)\r\nMore than half of the 15 entities we found in the leak site were small enterprises. With respect to the targets’ specific\r\nindustries, we saw no trend emerging, as no one industry stood out from the others.  This can be seen in Figure 6, where no\r\nsingle industry stood out from the rest.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 2 of 9\n\nFigure 5. Sector distribution of AvosLocker victims according to the group’s leak site (December 1, 2021 to February 28,\r\n2022)\r\nWe do note, however, that AvosLocker has showed relatively less activity compared to other more prominent ransomware\r\nfamilies in terms of our detections and observations from its leak site. Because of the limited sample size, further monitoring\r\nmight be necessary to identify trends.\r\nInfection chain and techniques\r\nThe AvosLocker infection chain, which operates on the RaaS model, can vary depending on the target. The following\r\ninfection chain shows a variety of tactics and tools employed by this RaaS.\r\nopen on a new tab\r\nFigure 6. AvosLocker infection chain\r\nInitial Access\r\nAvosLocker uses Zoho ManageEngine ServiceDesk Plus and its exploit for initial access and to download of web\r\nshell and AnyDesk.\r\nIt has been reported to make use of compromised accounts to access its victims via RDP or virtual private network\r\n(VPN).\r\nDefense Evasion, Discovery, and Credential Access\r\nIt uses Avast Anti-Rootkit Driver and a PowerShell script to disable certain antivirus processes.\r\nIt uses a BAT script to disable antivirus services that can run on Windows Safe Mode.\r\nIt uses Mimikatz and XenArmor Password Recovery Pro Tool to get credentials.\r\nIt also uses Nmap, NetScan, and native Windows commands (such as ipconfig, nslookup, and others) to perform\r\ndiscovery on the target network.\r\nIt avoids writing the ransomware payload in target systems.\r\nLateral Movement and Command and Control\r\nAvosLocker installs AnyDesk to gain control of the targeted systems.\r\nIt uses PDQ Deploy to push out and execute the Windows batch script on the targeted systems.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 3 of 9\n\nImpact\r\nIt then executes the ransomware payload (AvosLocker) to perform its encryption routine once all other routines are\r\ndone.\r\nIt now has both Windows and Linux version of this ransomware payload. The Linux version is also known to\r\nterminate ESXi virtual machines.\r\nIn its latest attacks, the Windows version was executed after restarting in safe mode to inhibit security software from\r\ndetecting the ransomware variant.\r\nIn order to execute on safe mode, it adds a RunOnce registry entry under autostart. Further investigation revealed\r\nmultiple ways AvosLocker can be executed via the RunOnce registry, which are the following:\r\n1. Direct execution of the ransomware payload\r\n2. Execute a PowerShell script that will download and execute the ransomware payload\r\n3. Execute a PowerShell script that will decode and execute the ransomware payload from a disguised .jpg file.\r\nIt drops a ransom note similar to the one in Figure 7.\r\nFigure 7. Sample ransom note used by AvosLocker\r\nOther technical details\r\nIt avoids the following directories:\r\nAll Users\r\nAppData\r\nboot\r\nbootmgr\r\nGames\r\nIntel\r\nMicrosoft. (Directory name starts with “Microsoft.)\r\nProgram Files\r\nProgramData\r\nPublic\r\nSophos\r\nSystem Volume Information\r\nWindows\r\nWindows.old\r\nWinNT\r\nIt avoids encrypting the following files with strings in their file name:\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\nconfig.msi\r\ndesktop.ini\r\niconcache.db\r\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 4 of 9\n\nntuser.ini\r\nthumbs.db\r\nThumbs.db\r\nIt avoids encrypting files with the following extensions:\r\n.386\r\n.adv\r\n.ani\r\n.avos\r\n.avos2\r\n.avos2j\r\n.avoslinux\r\n.bat\r\n.bin\r\n.cab\r\n.cmd\r\n.com\r\n.cpl\r\n.cur\r\n.deskthemepack\r\n.diagcab\r\n.diagcfg\r\n.diagpkg\r\n.dll\r\n.drv\r\n.exe\r\n.hlp\r\n.hta\r\n.icl\r\n.icns\r\n.ico\r\n.ics\r\n.idx\r\n.key\r\n.ldf\r\n.lnk\r\n.lock\r\n.mod\r\n.mpa\r\n.msc\r\n.msi\r\n.msp\r\n.msstyles\r\n.msu\r\n.nls\r\n.nomedia\r\n.ocx\r\n.pdb\r\n.prf\r\n.ps1\r\n.rom\r\n.rtp\r\n.scr\r\n.shs\r\n.spl\r\n.sys\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 5 of 9\n\n.theme\r\n.themepack\r\n.wpx\r\nIt terminates the following processes:\r\nencsvc\r\nthebat\r\nmydesktopq os\r\nxfssvccon\r\nfirefox\r\ninfopath\r\nwinword\r\nsteam\r\nsynctime\r\nnotepad\r\nocomm\r\nonenote\r\nmspub\r\nthunderbird\r\nagntsvc\r\nsql\r\nexcel\r\npowerpnt\r\noutlook\r\nwordpad\r\ndbeng50\r\nisqlplussvc\r\nMITRE tactics and techniques\r\nInitial Access Execution Persistence Defense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCommand\r\nand\r\nControl\r\nIm\r\nT1190 -\r\nExploit public-facing\r\napplication\r\nArrives by\r\nexploiting\r\nZoho\r\nManageEngine\r\nServiceDesk\r\nPlus Exploit to\r\ndownload web\r\nshell and\r\nAnyDesk\r\nAs it operates\r\nas a RaaS,\r\ndepending on\r\nthe affiliate,\r\nthe following\r\nexploits might\r\nbe used for\r\ninitial access:\r\nT1059 -\r\nCommand\r\nand\r\nscripting\r\ninterpreter\r\nUses\r\nvarious\r\nscripting\r\ninterpreters\r\nlike\r\nPowerShell\r\nand\r\nWindows\r\nCommand\r\nshell\r\nT1072 -\r\n Software\r\ndeployment\r\ntools\r\nUsed PDQ\r\nDeploy to\r\nT1136 -\r\nCreate\r\naccount\r\nCreates a\r\nnew user to\r\nensure\r\nautomatic\r\nlogin when\r\nmachine is\r\nrestarted in\r\nsafe mode\r\nT1547 -\r\n Boot or\r\nlogon\r\nautostart\r\nexecution\r\nCreates an\r\nautostart\r\nentry to\r\nensure\r\nexecution of\r\nT1112 - Modify\r\nregistry\r\nModifies registry\r\nentry to allow\r\nAnyDesk on safe\r\nmode and to enable\r\nautomatic login\r\nwhen restarted in\r\nsafe mode\r\nT1562 - Impair\r\ndefenses\r\nAbuses Avast Anti-Rootkit Driver and a\r\nPowerShell script to\r\ndisable certain\r\nprocesses related to\r\nsecurity tools and\r\nalso restarts the\r\nmachine in safe\r\nmode to inhibit\r\nT1003 - OS\r\ncredential\r\ndumping\r\nMight\r\nutilize\r\nMimikatz to\r\ndump\r\ncredentials\r\nT1552 -\r\n Unsecured\r\ncredentials\r\nMight\r\nutilize\r\nMimikatz\r\nor\r\nXenArmor\r\nPassword\r\nRecovery\r\nPro tool to\r\ngather\r\ncredentials\r\nT1083 -\r\nFile and\r\ndirectory\r\ndiscovery\r\nSearches\r\nfor specific\r\nfiles and\r\ndirectory\r\nrelated to\r\nits\r\nransomware\r\nencryption\r\nT1135 -\r\nNetwork\r\nshare\r\ndiscovery\r\nMakes use\r\nof tools to\r\nenumerate\r\nnetwork\r\nshare\r\nT1021 -\r\nRemote\r\nservices\r\nMight use\r\nAnyDesk to\r\nremotely\r\nconnect\r\nand\r\ntransfer\r\nfiles\r\nT1072 -\r\nSoftware\r\ndeployment\r\ntools Used\r\nPDQ\r\nDeploy to\r\ndistribute\r\nthe batch\r\nfile and\r\npayload on\r\nT1219 -\r\nRemote\r\naccess\r\nsoftware\r\nMakes use\r\nof tools for\r\nnetwork\r\nscans\r\nT\r\nD\r\nen\r\nfo\r\nM\r\nA\r\nre\r\nco\r\ntr\r\nfi\r\nIt\r\nsa\r\nst\r\nci\r\nen\r\nvi\r\nO\r\nve\r\nus\r\nad\r\nen\r\nst\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 6 of 9\n\nInitial Access Execution Persistence Defense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCommand\r\nand\r\nControl\r\nIm\r\n• CVE-2021-\r\n31206• CVE-2021-\r\n31207• CVE-2021-\r\n34473• CVE-2021-\r\n34523• CVE-2021-26855\r\nT1078 - Valid\r\naccounts\r\nHave been\r\nreported to\r\nmake used of\r\ncompromised\r\naccounts to\r\naccess victims\r\nvia RDP or\r\nVPN\r\ndistribute\r\nthe batch\r\nfile and\r\npayload on\r\ntarget\r\ncomputers\r\nransomware\r\nwhen\r\nrestarted in\r\nsafe mode\r\nsecurity tools from\r\nexecuting\r\nT1140 -\r\n Deobfuscate/Decode\r\nfiles or information\r\nSome ransomware\r\nsamples are decoded\r\nusing CertUtil and\r\nstrings to be used by\r\nthe ransomware are\r\nencrypted using\r\nXOR.\r\nT1070 - Indicator\r\nremoval on host\r\nIt deletes created\r\nregistry entries,\r\nscripts, and\r\nransomware binary\r\nafter encryption.\r\nT1555 -\r\n Credentials\r\nfrom\r\npassword\r\nstores\r\nMight\r\nutilize\r\nXenArmor\r\nPassword\r\nRecovery\r\nPro tool to\r\ngain\r\ncredentials\r\nT1057 -\r\n Process\r\ndiscovery\r\nDiscovers\r\ncertain\r\nprocesses\r\nfor process\r\ntermination\r\nT1018 -\r\n Remote\r\nsystem\r\ndiscovery\r\nMakes use\r\nof tools for\r\nnetwork\r\nscans\r\ntarget\r\ncomputers\r\n(A\r\n25\r\nan\r\nen\r\nan\r\nre\r\nT\r\n S\r\nst\r\nC\r\nli\r\nse\r\nbe\r\nte\r\nto\r\nen\r\nT\r\n I\r\nsy\r\nre\r\nD\r\nsh\r\nco\r\nT\r\n D\r\nR\r\nde\r\nw\r\nw\r\nra\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used in\r\nAvosLocker attacks:\r\nInitial Access Execution\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nDefense Evasion\r\nComm\r\nContr\r\nExploit for\r\nZoho\r\nManageEngine\r\nServiceDesk\r\nPlus\r\nPowerShell\r\nWindows\r\ncommand\r\nshell\r\nMimikatz\r\nXenArmor\r\nPassword\r\nRecovery\r\nTool Pro\r\nNetScan\r\nNmap\r\nPDQ\r\nDeploy\r\nBAT file\r\nAvast Anti-Rootkit\r\nScanner\r\nPowerShell\r\nscript\r\nRecommendations\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 7 of 9\n\nWhile AvosLocker is not yet as prominent as other ransomware families like LockBitnews article, Continews article, and\r\nClopnews article, it seems to follow in the footsteps of these more established players. It also reuses tactics that worked for\r\ninfamous ransomware families, namely REvil. This should be enough reason for organizations to keep an eye on this\r\nransomware family as well as to stay abreast with the latest trends and tactics employed by threat actors today.\r\nTo help defend systems against similar threats, organizations can establish security frameworks that can allocate resources\r\nsystematically for establishing solid defenses against ransomware.\r\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allowlist that only executes legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications.\r\nUpdate software and applications to their latest versions.\r\nProtect and recover\r\nImplement data protection, back up, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before the ransomware can do any damage.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 8 of 9\n\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nAI Security Starts Here: The Essentials for Every Organizationnews article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker"
	],
	"report_names": [
		"ransomware-spotlight-avoslocker"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/125ba8d51811c2584eebff754dcf2db1744b8640.pdf",
		"text": "https://archive.orkl.eu/125ba8d51811c2584eebff754dcf2db1744b8640.txt",
		"img": "https://archive.orkl.eu/125ba8d51811c2584eebff754dcf2db1744b8640.jpg"
	}
}