{
	"id": "68abde8b-1920-4be4-8102-353bbf46a336",
	"created_at": "2026-04-06T00:06:06.232448Z",
	"updated_at": "2026-04-10T03:20:40.640308Z",
	"deleted_at": null,
	"sha1_hash": "1e513a7792baa912acc53c1d779de0b987551ed9",
	"title": "AvosLocker – Modern Linux Ransomware Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 504715,
	"plain_text": "AvosLocker – Modern Linux Ransomware Threats\r\nBy Threat Analysis Unit\r\nPublished: 2022-02-25 · Archived: 2026-04-05 18:11:43 UTC\r\nThis article was written by Sudhir Devkar\r\nSummary\r\nAvosLocker Ransomware is a recent ransomware with the capability to encrypt Linux systems. AvosLocker seems\r\nto be targeting the VMware ESXi virtual machines and Virtual Machine File System (VMFS) files. By targeting\r\nVMs, AvosLocker takes advantage of faster and easier encryption of multiple servers with a single command.\r\nBehavioral Summary\r\nOn execution, AvosLocker on Linux systems shows usage instructions to the user to run commands with\r\nparameters, as shown in Figure 1. These parameters control aspects like the number of threads to be created for\r\nencryption and the path of the directory which will get encrypted.\r\nFigure 1: Command Line Usage guide\r\nAfter providing the parameters, before encryption it drops ransom note files to folders specified on the command\r\nline with the name “README_FOR_RESTORE”. In the ransom note AvosLocker asks the user to download the\r\nTor browser and to visit the given Tor onion link. There is no specific ransom amount demanded in the ransom\r\nnote; it instructs to provide the ID mentioned at the end in the ransom note to get pricing details.\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 1 of 6\n\nFigure 2: Ransom Note\r\nWhile looking into code, the malware checks if the command line parameter contains “esxi” and “vmfs”. If so,\r\nAvosLocker checks for VMware Elastic Sky X Integrated (ESXi) and Virtual Machine File System (VMFS),\r\nrespectively, and tries to force their shutdown if they are running.\r\nFigure 3: Code snippet to kill ESXi\r\nCommand used to kill ESXi and VMFS services:\r\nesxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’\r\n‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’\r\nFurther, it creates a given number of threads with mutex lock/unlock to synchronise operation to prevent\r\nencryption process overlap.\r\nFigure 4: Create Thread and Mutex lock/Unlock\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 2 of 6\n\nOn further execution AvosLocker creates the number of threads provided by command line parameters and starts\r\nencrypting files from a given path. Analysis showed that each file was encrypted with a unique encryption key.\r\nDuring encryption AvosLocker checks file size if greater than ~12MB. If so, then the data will be encrypted in\r\n~1Mb blocks. Once encryption completes, the malware stores the encryption key, with base64 encoding, at the\r\nend of each encrypted file. The ransomware then renames the encrypted file with extension “.avoslinux”, as\r\nshown in Figure:5\r\nFigure 5: Encryption code flow\r\nThe encrypted files are appended with 171 bytes of base64 data. Analysis of code flow shows this to be the\r\nencryption key stored in base64 encoded, shown in Figure:6.\r\nFigure 6: key appended in encrypted files\r\nAfter encryption, AvosLocker appends the encrypted file name with the extension .avoslinux. (Figure:7)\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 3 of 6\n\nFigure 7: Encrypted files with .avoslinux extension\r\nYara\r\nRule :\r\nrule AvosLocker {\r\nmeta:\r\ndescription = “AvosLocker Ransomware”\r\nauthor = “VMware Threat Research”\r\nexemplar_hashes = “7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1”\r\nstrings:\r\n$s1 = “avoslinux” wide ascii nocase\r\n$s2 = “README_FOR_RESTORE” wide ascii nocase\r\n$s3 = “Killing ESXi VMs” wide ascii nocase\r\ncondition:\r\nuint32(0) == 0x464C457F and filesize \u003e 1MB and filesize \u003c 3MB and\r\nall of ($s*)\r\n}\r\nMITRE ATT\u0026CK TIDs\r\nTID Tactic Description\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 4 of 6\n\nT1490 Impact Inhibit System Recovery\r\nT1489 Impact Service Stop\r\nT1486 Impact Data Encrypted for Impact\r\nT1082 Discovery System Information Discovery\r\nT1059 Execution Command and Scripting Interpreter\r\nTable 1: MITRE ATT\u0026CK TIDs\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\n7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1 SHA256\r\nAvosLocker\r\nELF\r\n0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6 SHA256\r\nAvosLocker\r\nELF\r\n10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4 SHA256\r\nAvosLocker\r\nELF\r\ne9a7b43acdddc3d2101995a2e2072381449054a7d8d381e6dc6ed64153c9c96a SHA256\r\nAvosLocker\r\nELF\r\ne737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721 SHA256\r\nAvosLocker\r\nELF\r\ncdca6936b880ab4559d3d96101e38f0cf58b87d07b0c7bf708d078c2bf209460 SHA256\r\nAvosLocker\r\ndecryptor ELF\r\n 05c63ce49129f768d31c4bdb62ef5fb53eb41b54 SHA1\r\nAvosLocker\r\nELF\r\n 6f110f251860a7f6757853181417e19c28841eb4 SHA1\r\nAvosLocker\r\nELF\r\n 9c8f5c136590a08a3103ba3e988073cfd5779519 SHA1\r\nAvosLocker\r\nELF\r\n e8c26db068914df2083512ff8b24a2cc803ea498 SHA1\r\nAvosLocker\r\nELF\r\n dab33aaf01322e88f79ffddcbc95d1ad9ad97374 SHA1\r\nAvosLocker\r\nELF\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 5 of 6\n\ne60ef891027ac1dade9562f8b1de866186338da1 SHA1\r\nAvosLocker\r\ndecryptor ELF\r\ne09183041930f37a38d0a776a63aa673 MD5\r\nAvosLocker\r\nELF\r\nd3cafcd46dea26c39dec17ca132e5138 MD5\r\nAvosLocker\r\nELF\r\nf659d1d15d2e0f3bd87379f8e88c6b42 MD5\r\nAvosLocker\r\nELF\r\nafed45cd85a191fe3b2543e3ae6aa811 MD5\r\nAvosLocker\r\nELF\r\n31f8eedc2d82f69ccc726e012416ce33 MD5\r\nAvosLocker\r\nELF\r\na39b4bea47c4d123f8195a3ffb638a1b MD5\r\nAvosLocker\r\ndecryptor ELF\r\nTable 2: Indicator of Compromise\r\nRead more threat analysis insights.\r\nBased on VMware’s Threat Analysis Unit research, Exposing Malware in Linux-Based Multi-Cloud Environments\r\noffers a comprehensive look at  malware threats targeting  multi-cloud environments.\r\nSource: https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nhttps://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html\r\nPage 6 of 6\n\n$s3 = “Killing condition: ESXi VMs” wide ascii nocase \nuint32(0) == 0x464C457F and filesize \u003e 1MB and filesize \u003c 3MB and\nall of ($s*)   \n}   \nMITRE ATT\u0026CK TIDs  \nTID Tactic Description \n   Page 4 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html"
	],
	"report_names": [
		"avoslocker-modern-linux-ransomware-threats.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e513a7792baa912acc53c1d779de0b987551ed9.pdf",
		"text": "https://archive.orkl.eu/1e513a7792baa912acc53c1d779de0b987551ed9.txt",
		"img": "https://archive.orkl.eu/1e513a7792baa912acc53c1d779de0b987551ed9.jpg"
	}
}