{
	"id": "b143664a-64ed-49ee-ad82-fc18448deb2a",
	"created_at": "2026-04-10T03:20:35.735003Z",
	"updated_at": "2026-04-10T03:22:18.019318Z",
	"deleted_at": null,
	"sha1_hash": "d59d43e8ad8aa7befb326328ad97ff439be9c3ea",
	"title": "AvosLocker Ransomware Targets VMware ESXi Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1213790,
	"plain_text": "AvosLocker Ransomware Targets VMware ESXi Servers\r\nBy cybleinc\r\nPublished: 2022-01-17 · Archived: 2026-04-10 03:18:43 UTC\r\nRansomware is a category of malware that uses various encryption algorithms to encrypt crucial data on the user’s\r\nmachine and demands the user for ransom. AvosLocker is a ransomware group identified in 2021, specifically targeting\r\nWindows machines. Additionally, Cyble Research Labs have come across a Twitter post that mentioned a new Linux\r\nvariant of AvosLocker ransomware targeting VMware ESXi servers. In this blog post, we will discuss AvosLocker Linux\r\nransomware in detail.\r\nCyble Research Labs found through dark/deepweb research that the Threats Actors (TAs) or affiliates of AvosLocker\r\nransomware groups are using Proxyshell to exploit Microsoft Exchange Server vulnerabilities compromising victim’s\r\nnetwork, such as CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207. Once the TAs access the\r\nmachine, they deploy mimikatz to dump passwords. TAs can get RDP access to the domain controller by using the\r\nidentified passwords, exfiltrating data from the compromised machine. Finally, AvosLocker ransomware gets deployed on\r\nthe victim system by the attacker to encrypt the victim’s documents and files.\r\nTechnical analysis\r\nBased on static analysis, we found that the malicious file is an x64 based Executable and Linkable Format (ELF) file, as\r\nshown in Figure 1.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 1 of 9\n\nFigure 1 – Static ELF File Details\r\nUpon executing the AvosLocker ransomware on Linux machines, it instructs the user to run a command which has the\r\nparameter that specifies the path of the directory to be encrypted. Also, the command has another parameter that denotes\r\nthe number of threads to be involved in the encryption process. The in-built multithreading functionality helps TAs to\r\nencrypt the files faster, as shown in Figure 2.\r\nFigure 2 – Malware Instructs for Drive Path\r\nAfter execution, the AvosLocker checks the presence of VMware Elastic Sky X Integrated (ESXi), Virtual Machine File\r\nSystem (VMFS), and kills the Virtual Machines (VMs) if they are running using the command given in the figure below.\r\nFigure 3 – Command to Kill ESXi VMs\r\nThe below figure demonstrates that the malware appends the extension as .avoslinux after encrypting the files on the\r\nvictim’s machine.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 2 of 9\n\nFigure 4 – Appends the File Extension after Encryption\r\nBefore encrypting the files, the malware performs thread synchronization operation using mutex lock/unlock APIs to\r\navoid overlapping the encryption process, as shown in Figure 5.\r\nFigure 5 – Thread Synchronization Encrypting the Files\r\nThe content of an encrypted file has base64 encoded content at the end of the file. As shown in the figure below, we\r\nsuspect that the base64 encoded data contains a cryptographic key used to encrypt the file.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 3 of 9\n\nFigure 6 – Encrypted File Contents\r\nBefore starting the encryption process, the malware drops ransom notes with the name README_FOR_RESTORE.txt in\r\nthe specific drive. Then, like other ransomware groups, the attackers instruct the victims to visit the TOR website, as\r\nshown in the figure below.\r\nFigure 7 – Ransom note\r\nWhen the victim visits AvosLocker’s TOR website, it asks for the ID given on the ransom note to proceed with the\r\npayment process, as shown in the below figure.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 4 of 9\n\nFigure 8 – AvosLocker’s TOR Website\r\nOnce the victim enters the ID, the website redirects to the payment page where TAs instructs victims to pay USD\r\n1,000,000.00/ 4629.63 XMR/ 28.61 BTC (25% processing fee) – the ransom amount would double if the victim does not\r\npay the ransom before the deadline.\r\nFor payment through Monero, the TAs has provided Monero ID and the payment ID, as shown in Figure 9.\r\nFigure 9 – AvosLocker’s Payment Page\r\nOther Observations\r\nCyble Research Labs had found that the TAs leaked their victim’s details on their leak website when victims failed to pay\r\nthe ransom. The following figure showcases the Avoslocker leak website with recent victims.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 5 of 9\n\nFigure 10 – List of Victims Mentioned on the Leak Site\r\nAlso, the leak site noted that TAs had mentioned an affiliate program that provides Ransomware as a Service (RaaS),\r\nwhich includes Affiliate panels, Calling Services, etc., as shown in the below figure.\r\nFigure 11 – AvosLocker’s Partnership Program\r\nThe ransomware groups are looking for support to expand their cybercrime ransomware business in the countries such as\r\nthe USA, Canada, the United Kingdom, and Australia, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 6 of 9\n\nFigure 12 – TA’s Post on Cyber Crime Forum\r\nConclusion\r\nThere is likely a new version of AvosLocker ransomware for the Linux platform. The latest version is where\r\ncybercriminals added a unique code to evolve their Raas services with new Tactics, Techniques, and Procedures (TTP),\r\nwhich targets ESXi and VMFS machines. Therefore, we believe that there may be an enhancement in the form of an\r\nupcoming variant of the AvosLocker ransomware.\r\nWe are continuously monitoring AvosLocker’s extortion campaign and updating our readers with the latest information as\r\nand when we find it.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nSafety measures needed to prevent ransomware attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop,\r\nand mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers should take the following steps after a ransomware attack\r\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected\r\nInspect system logs for doubtful events.\r\nImpacts and cruciality Of AvosLocker Ransomware\r\nLoss of Valuable data.\r\nLoss of organizations reliability or integrity.\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 7 of 9\n\nLoss of organisation’s businesses information.\r\nDisruption in organization operation.\r\nEconomic loss.\r\nMITRE aTT\u0026CK® tECHNIQUES\r\nTactic Technique ID Technique Name\r\nInitial Access\r\nT1190\r\nT1189\r\n– Exploit Public-Facing Application\r\n– Drive-by Compromise\r\nExecution T1059 – Command and Scripting Interpreter\r\nCredential Access T1555 – Credentials from Password Stores\r\nDiscovery T1082 – System Information Discovery\r\nCollection T1530 – Data from Cloud Storage Object\r\nImpact\r\nT1490\r\nT1489\r\nT1486\r\n– Inhibit System Recovery \r\n– Service Stop\r\n– Data Encrypted for Impact\r\nindicators Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6 SHA256\r\nAvosLocker\r\nELF\r\n10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4 SHA256\r\nAvosLocker\r\nELF\r\n7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1 SHA256\r\nAvosLocker\r\nELF\r\ne737c901b80ad9ed2cd800fec7c2554178c8afab196fb55a0df36acda1324721 SHA256\r\nArchive File\r\nContaining\r\nAvosLocker\r\nELF\r\nhxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion URL\r\nAvosLocker’s\r\nTOR Website\r\nhxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion  URL\r\nAvosLocker’s\r\nleak website\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 8 of 9\n\nSource: https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nhttps://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/"
	],
	"report_names": [
		"avoslocker-ransomware-linux-version-targets-vmware-esxi-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775791235,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d59d43e8ad8aa7befb326328ad97ff439be9c3ea.pdf",
		"text": "https://archive.orkl.eu/d59d43e8ad8aa7befb326328ad97ff439be9c3ea.txt",
		"img": "https://archive.orkl.eu/d59d43e8ad8aa7befb326328ad97ff439be9c3ea.jpg"
	}
}