{
	"id": "56d4add0-c593-40ec-9dac-79de73dc3b14",
	"created_at": "2026-04-06T01:31:03.077013Z",
	"updated_at": "2026-04-10T13:12:31.535642Z",
	"deleted_at": null,
	"sha1_hash": "931d9a65a35a4538923631a04da3dc9eab7ef06f",
	"title": "AvosLocker Ransomware Behavior Examined on Windows \u0026 Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3109030,
	"plain_text": "AvosLocker Ransomware Behavior Examined on Windows \u0026\r\nLinux\r\nBy Ghanshyam More\r\nPublished: 2022-03-07 · Archived: 2026-04-06 00:47:19 UTC\r\nAvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a\r\nnew variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of\r\nthese two AvosLocker Ransomware in detail.\r\nAvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use\r\nspam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the\r\nencryption, process files are appended with the “.avos” extension. An updated variant appends with the extension\r\n“.avos2”. Similarly, the Linux version appends with the extension “.avoslinux”.\r\nAfter every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website\r\nhosted on the TOR network and provides exfiltrated data for sale. URL structure: hxxp://avosxxx…xxx[.]onion\r\nThe AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure:\r\nhxxp://avosjonxxx…xxx[.]onion\r\nThe gang has claimed, “The AvosLocker’s latest Windows variant is one of the fastest in the market with highly\r\nscalable threading and selective ciphers.” They offer an affiliate program that provides ransomware-as-a-service\r\n(RaaS) for potential partners in crime.\r\nRecently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual\r\nmachines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi\r\nVMs, making it particularly nasty.\r\nAccording to deepweb research by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups\r\nare exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim’s network.\r\nCVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-\r\n31207.\r\nTechnical Analysis of AvosLocker Windows Variant\r\nCommand-Line Options\r\nThe following figure shows a sample of Command-Line Options.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 1 of 13\n\nFig. 1: Command Line Option\r\nThe available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or\r\ncontrol over the concurrent number of threads.\r\nIf no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of\r\nnetwork drives and SMB share. It runs 200 threads concurrently of its file encryption routine.\r\nFig. 2: Execution with Default Parameter\r\nWhile execution, the malware console displays detailed information about its progress on the screen (fig. 3).\r\nFig. 3: Progress Details\r\nMost of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only\r\nregisters and keys are different (fig. 4). Strings are decrypted just before their use.\r\nFig. 4: Commonly Used Decryption Routine\r\nInitially, the malware collects the command line options provided while launching the application (fig. 5).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 2 of 13\n\nFig. 5: Get command-line Options\r\nThen it decrypts the mutex name “Cheic0WaZie6zeiy” and checks whether it is already running or not to avoid\r\nmultiple instances (fig. 6).\r\nFig. 6: Mutex Creation\r\nAs shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances\r\nof worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing\r\npower of multi-core CPUs.\r\nAPIs called:\r\nCreateIoCompletionPort()\r\nPostQueuedCompletionStatus()\r\nGetQueuedCompletionPort()\r\nFig. 7: Use of CreateIoCompletionPort\r\nThe code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data\r\nquickly.\r\nFig. 8: Create Thread In-Loop and Set Priority\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 3 of 13\n\nAvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives,\r\nand enumerates network resources using API WNetOpenEnum() and WnetEnumResource().\r\nFig. 9: Search Network Share\r\nBefore selecting the file for encryption, it checks for file attributes and skips it if\r\n“FILE_ATTRIBUTE_HIDDEN” or “FILE_ATTRIBUTE_SYSTEM” as shown in figure 10.\r\nFig. 10: Check File Attribute\r\nOnce the file attribute check is passed, it performs the file extension check. It skips files from encryption if its\r\nextension gets matched with one of the extensions shown in figure 11.\r\nFig. 11: Skip Extension List\r\nIt also contains the list of files and folders that need to be skipped from the encryption (fig. 12).\r\nFig. 12: Skip File Folder List\r\nAvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker\r\n(fig. 13).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 4 of 13\n\nFig. 13: Hardcoded Public Key\r\nAfter file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig.\r\n14).\r\nFig. 14: Use of ChaCha20\r\nIt appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 5 of 13\n\nFig.15: Encryption Related Information\r\nThen it appends the “avo2” extension to the file using MoveFileWithprogressW (fig. 16).\r\nFig. 16: Add Extension Using Move File\r\nAs seen in figure 17, it has appended “avos2” extensions.\r\nFig. 17: File with Updated Extension\r\nIt writes a ransom note (fig. 18) named “GET_YOUR_FILES_BACK.txt” to each encrypted directory before\r\nencryption of the file.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 6 of 13\n\nFig. 18: Ransom Note\r\nThe ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file\r\ncorruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the\r\ndecryption key to decrypt the application or files.\r\nAvosLocker Payment System\r\nAfter submitting the “ID” mentioned on the ransom note to AvosLocker’s website (fig. 19), the victim will be\r\nredirected to the “payment” page.\r\nFig. 19: AvosLocker’s Website\r\nIf the victim fails to pay the ransom, the attacker then puts the victim’s data up for sale. Figure 20 shows the list of\r\nvictims (redacted for obvious reasons) mentioned on the site.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 7 of 13\n\nFig. 20: List of Victims\r\nAvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide\r\n“helpful” services to clients such as:\r\nSupports Windows, Linux \u0026 ESXi.\r\nAffiliate panel\r\nNegotiation panel with push \u0026 sound notifications\r\nAssistance in negotiations\r\nConsultations on operations\r\nAutomatic builds\r\nAutomatic decryption tests\r\nEncryption of network resources\r\nKilling of processes and services with open handles to files\r\nHighly configurable builds\r\nRemoval of shadow copies\r\nData storage\r\nDDoS attacks\r\nCalling services\r\nDiverse network of penetration testers, access brokers and other contacts\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 8 of 13\n\nFig. 21: Partnership Program\r\nTechnical Analysis of AvosLocker Linux Variant\r\nIn this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based\r\nLinux executable file.\r\nFig. 22: File Details\r\nIt’s a command-line application having some command-line options (fig. 23).\r\nFig. 23: Command-Line Options\r\nThe \u003cThread count\u003e parameter as shown above represents the number of threads that can be created to encrypt\r\nfiles simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while\r\nexecuting.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 9 of 13\n\nUpon execution, the malware first collects information about the number of threads that need to be created. Then\r\nit checks for string “vmfs” in the file path provided as a command-line argument (fig. 24).\r\nFig. 24: Checks for “vmfs”\r\nAfter that, it also checks for string “ESXi” in the file path provided as a command-line argument (fig. 25).\r\nFig. 25: Checks for “ESXi”\r\nIf this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26).\r\nFig. 26: Code to Kill ESXi Virtual Machine\r\nThe command used for killing the ESXi virtual machine is as shown in figure 27.\r\nFig. 27: Command to Kill Running ESXi Virtual Machine\r\nFurther, AvosLocker drops a ransom note file (fig. 28) at the targeted directory.\r\nFig. 28: Create ransom note\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 10 of 13\n\nAfter that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks\r\nwhether it is a regular file or not (fig. 29). Only regular files are added to the encryption list.\r\nFig. 29: Checks File Info\r\nAvosLocker skips the ransom note file and any files with the extension “avoslinux” from adding into the\r\nencryption list (fig. 30).\r\nFig. 30: Skip “avoslinux” Extension File\r\nThen it calls the mutex lock/unlock API for thread synchronization as shown in figure 31.\r\nFig. 31: Lock-Unlock Mutex for Thread Synchronization\r\nBased on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting\r\ndifferent files simultaneously at a very fast speed.\r\nFig. 32: Create Threads in Loop\r\nAvosLocker’s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography\r\n(ECC) algorithms for data encryption.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 11 of 13\n\nFile-related information along with the encryption key used might be encrypted and then encoded with base 64\r\nformats. This encoded information is added at the end of each encrypted file (fig. 33).\r\nFig. 33: File-related Info added at the end\r\nFigure 34 shows the malware appending the extension “.avoslinux” to the encrypted file names.\r\nFig. 34: Append file extension “.avoslinux” after encryption\r\nBefore starting file encryption, it creates a ransom note named “README_FOR_RESTORE “. The content of this\r\nransom note is shown in figure 35.\r\nFig. 35: Ransom Note\r\nThe ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file\r\ncorruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the\r\ndecryption key and decryption application.\r\nIndicators of Compromise (IOCs):\r\nWindows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02\r\nLinux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1\r\nURL:\r\nhxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 12 of 13\n\nhxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion\r\nTTP Map:\r\nInitial\r\nAccess\r\nExecution Defense Evasion Discovery Impact\r\nPhishing\r\n(T1566)\r\nUser\r\nExecution\r\n(T1204)\r\nObfuscated Files or\r\nInformation (T1027)\r\nSystem Information\r\nDiscovery (T1082)\r\nData\r\nEncrypted for\r\nImpact\r\n(T1486)\r\nFile and Directory\r\nDiscovery (T1083)\r\nInhibit System\r\nRecovery\r\n(T1490)\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux"
	],
	"report_names": [
		"avoslocker-ransomware-behavior-examined-on-windows-linux"
	],
	"threat_actors": [],
	"ts_created_at": 1775439063,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/931d9a65a35a4538923631a04da3dc9eab7ef06f.pdf",
		"text": "https://archive.orkl.eu/931d9a65a35a4538923631a04da3dc9eab7ef06f.txt",
		"img": "https://archive.orkl.eu/931d9a65a35a4538923631a04da3dc9eab7ef06f.jpg"
	}
}