AvosLocker

Overview

AvosLocker is a Ransomware-as-a-Service operation that first appeared on dark web forums in June–July 2021, recruiting affiliates with an offer that included not just ransomware payload access and affiliate panels, but an integrated calling service — meaning the AvosLocker operation would place live phone calls to victims on behalf of affiliates during ransom negotiations. This calling service was explicitly advertised as a value-add in the group's RaaS recruitment materials, enabling affiliates to add direct voice pressure to the threat of data publication on AvosLocker's Tor-hosted leak site.

The group emerged in a period following the disruption of REvil and the voluntary shutdown of other prominent RaaS operations, and analysts at the time noted that AvosLocker appeared to be one of the operations attempting to fill that gap. Its TTPs borrowed from predecessors — particularly REvil, which had also used Safe Mode rebooting as an evasion technique — while adding its own innovations, most notably the abuse of a legitimate Avast Anti-Rootkit Driver (aswArPot.sys) to terminate security product processes at the kernel level. Trend Micro researchers identified this as the first US-observed use of that specific evasion method in a ransomware campaign.

AvosLocker operates under the standard modern ransomware playbook: compromise, lateral movement, data exfiltration, encryption, and double extortion. But several distinguishing characteristics set it apart from peer groups. Affiliates were explicitly instructed not to attack targets in post-Soviet or CIS countries — a restriction common among Russian-speaking criminal groups that suggests at minimum Eastern European operator influence, though the group's origin has not been formally confirmed. The RaaS advertised support for Windows (multiple variants including Avos and Avos2), Linux (targeting VMware ESXi environments), and VMware ESXi directly — giving affiliates cross-platform attack capability that many competing operations took longer to develop.

The FBI and CISA jointly published an initial AvosLocker advisory in March 2022 and issued an updated advisory in October 2023 covering activity through May 2023. The updated advisory documented new tooling including a custom persistence implant called NetMonitor.exe that masquerades as a legitimate network monitoring tool while functioning as a reverse proxy, enabling operator connectivity from outside the victim network even after perimeter defenses are restored. No arrests or formal law enforcement disruption of AvosLocker infrastructure have been publicly confirmed. The group is assessed as dormant as of this writing, with no activity reported since the May 2023 FBI-confirmed incidents.

Target Profile

AvosLocker's targeting is driven by affiliate selection and the group's articulated preference for "big game" organizations with significant ability to pay, concentrated in the United States. The group explicitly sought affiliates focused on the US, Canada, United Kingdom, and Australia — and warned affiliates against targeting post-Soviet or CIS country organizations.

• US Critical Infrastructure: The FBI and CISA advisory (AA23-284A) confirms compromise of organizations across multiple critical infrastructure sectors, including financial services, critical manufacturing, and government facilities. These sectors were targeted specifically for their sensitivity to operational disruption and their tendency to carry large ransomware insurance policies.
• Financial Services: Pacific City Bank is among the publicly confirmed AvosLocker victims, along with other financial institutions. The sensitivity of financial data to publication extortion — due to regulatory and reputational consequences — makes the sector a high-value target for double extortion operators.
• Technology and Manufacturing: GIGABYTE Technology, a major PC hardware manufacturer, was listed among AvosLocker's victims. Technology companies represent high-value targets because of the combination of valuable intellectual property and reputational sensitivity to data exposure.
• Healthcare and Education: Christus Health, a major US healthcare system, and Savannah College of Art and Design (SCAD) and Bluefield University are among disclosed victims. Healthcare organizations are consistently targeted due to the regulatory sensitivity of protected health information and operational criticality.
• VMware ESXi Environments: The Linux/ESXi variant of AvosLocker specifically targets organizations that have consolidated server workloads onto VMware ESXi hypervisors, enabling the ransomware to encrypt or terminate multiple virtual machines simultaneously with a single command — dramatically multiplying the encryption impact per attack.

Tactics, Techniques & Procedures

Documented TTPs drawn from the FBI/CISA joint advisory AA23-284A, Sophos incident response analysis, Trend Micro technical research, and Cyble research findings. Given the RaaS model, initial access TTPs vary significantly by affiliate.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Affiliates exploited multiple vulnerabilities for initial access. Documented CVEs include Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207), ProxyLogon (CVE-2021-26855, CVE-2021-27065), Zoho ManageEngine ADSelfService Plus (CVE-2021-40539), Apache Log4j Log4Shell (CVE-2021-44228, CVE-2021-45046), and Atlassian Confluence OGNL injection (CVE-2022-26134).
T1133	External Remote Services	Affiliates leveraged compromised credentials purchased from initial access brokers to access victim environments via RDP or VPN. Remote system administration tools — AnyDesk, Splashtop Streamer, PuTTy, Tactical RMM, PDQ Deploy, and Atera Agent — were deployed as persistent backdoor access vectors across multiple intrusions documented in the FBI advisory.
T1562.001	Impair Defenses: Disable or Modify Tools	Batch scripts deployed via PDQ Deploy modified or deleted Registry keys for Windows Defender and third-party products including Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance. A May 2022 variant abused a legitimate Avast Anti-Rootkit Driver (aswArPot.sys) — which operates at kernel privilege — to directly terminate security product processes. This was the first US-observed use of a third-party AV driver for endpoint security evasion in a ransomware attack.
T1562.009	Safe Mode Boot	AvosLocker reboots victim systems into Windows Safe Mode with Networking before encrypting files. Most endpoint security solutions — including EDR products — do not load in Safe Mode. Operators pre-configure AnyDesk to run in Safe Mode using specific driver installations, maintaining remote access throughout the boot and encryption sequence. The machine is set to automatically log in as a newly created admin account ('newadmin') on Safe Mode restart.
T1505.003	Web Shell	Custom ASPX web shells were uploaded to compromised networks to establish persistent server-side access, enabling attacker re-entry independent of the remote administration tools deployed during the intrusion. Web shells were observed in combination with AnyDesk installation as part of the initial post-exploitation setup.
T1572	Protocol Tunneling	The open-source tunneling tools Ligolo and Chisel were used for network tunneling during lateral movement phases. These tools enable encrypted tunnel creation through firewalls and NAT environments, providing operator connectivity to internal network segments not directly reachable from internet-facing systems.
T1555	Credentials from Password Stores	Lazagne and Mimikatz were used for credential harvesting from compromised systems. Harvested credentials were used to authenticate to additional systems within victim environments, enabling lateral movement without further exploitation. Nltest was used for domain reconnaissance alongside credential-based lateral movement.
T1048	Exfiltration Over Alternative Protocol	FileZilla and Rclone were used for data staging and exfiltration prior to ransomware deployment. Exfiltrated data was used as double extortion leverage — published or sold on the AvosLocker leak site if ransom was not paid. The group also auctioned stolen data in some cases, adding a third monetization layer beyond ransom payment and direct data publication.
T1490	Inhibit System Recovery	Batch scripts disable Windows Update, delete Volume Shadow Copies using vssadmin, and disable Windows Error Recovery to prevent system restoration. The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware is set to 1 to disable Windows Defender. A RunOnce registry key establishes ransomware persistence across reboots during the encryption phase.
T1219	Remote Access Software (Operator Calling Service)	AvosLocker's RaaS offering included a built-in calling service enabling operators to phone victims directly during ransom negotiations. Callers encouraged victims to visit the Tor negotiation site and threatened data publication. In some cases, DDoS attacks were simultaneously deployed against victims during negotiations to increase pressure. This multi-channel pressure model is relatively uncommon among ransomware RaaS operations.
T1053.005	NetMonitor.exe Persistence	A custom persistence tool named NetMonitor.exe was documented in the 2023 FBI advisory. It masquerades as a legitimate network monitoring process, pings a hardcoded C2 IP address every five minutes over port 443, and functions as a reverse proxy — enabling operator connectivity from outside the victim network even after other access methods have been remediated. FBI developed a YARA rule specifically for NetMonitor.exe detection.

Known Campaigns

Major confirmed victim disclosures and technical campaign clusters documented across AvosLocker's operational period.

Tools & Malware

AvosLocker affiliates rely heavily on legitimate commercial tools and open-source utilities alongside the core ransomware payload and custom implants. This living-off-the-land approach is a deliberate evasion strategy — legitimate tools blend with normal IT activity in security logs and are not flagged by signature-based defenses.

• AvosLocker Ransomware (Windows — Avos / Avos2): A multi-threaded C++ executable using RSA encryption for file encryption keys and ChaCha20 for encrypting encryption-related data. Supports command-line arguments to control threading, SMB brute force, and mutex creation. Creates a mutex object to prevent double-infection. Appends .avos or .avos2 extensions to encrypted files. Drops ransom notes (README_FOR_RESTORE.txt) directing victims to a Tor-hosted negotiation site with a unique victim ID from the note.
• AvosLinux / AvosLocker ESXi Variant: An x64 ELF binary targeting Linux and VMware ESXi environments. Accepts command-line arguments for directory path and thread count. Before encrypting files, terminates all running ESXi virtual machines using the esxcli command with force-kill parameters. Appends .avoslinux extension to encrypted files. Enables simultaneous encryption of multiple server workloads from a single execution.
• NetMonitor.exe: A custom persistence implant introduced in 2023. Masquerades as a legitimate Windows network monitoring process. Pings a hardcoded attacker C2 IP every five minutes over port 443. Functions as a reverse proxy enabling operator re-entry from outside the victim network. Traffic between NetMonitor and C2 is encrypted. Specifically documented in FBI advisory AA23-284A with a dedicated YARA detection rule.
• aswArPot.sys (Avast Anti-Rootkit Driver — abused): A legitimate but outdated Avast driver loaded into kernel space to terminate the processes of third-party endpoint security products. Operates at kernel privilege, making it more effective at disabling security tools than user-space approaches. First documented US ransomware use of this specific BYOVD (Bring Your Own Vulnerable Driver) technique. Fixed in June 2021 Avast update; Microsoft released a Windows 10/11 block in April 2022 to prevent the old version from loading.
• AnyDesk: Legitimate remote access software deployed as a persistent backdoor. Pre-configured by operators to start automatically in Windows Safe Mode using specific driver installations, maintaining operator connectivity throughout the Safe Mode reboot and encryption sequence.
• Cobalt Strike / Sliver: Commercial and open-source C2 frameworks used for post-compromise command and control. Documented in the 2023 FBI/CISA advisory as part of the updated AvosLocker toolkit. Cobalt Strike provides hands-on-keyboard access for lateral movement; Sliver serves as an open-source alternative.
• Ligolo / Chisel: Open-source network tunneling tools used during lateral movement. Enable encrypted tunnels through NAT and firewall boundaries, providing operator access to internal network segments during intrusions.
• Lazagne / Mimikatz: Credential harvesting tools. Lazagne extracts passwords from a wide range of applications; Mimikatz dumps Windows credential material from memory (LSASS). Harvested credentials are used for pass-the-hash attacks and direct authentication to additional systems.
• FileZilla / Rclone: File transfer and cloud sync tools repurposed for data exfiltration. Rclone enables direct exfiltration to attacker-controlled cloud storage. FileZilla transfers files to FTP-based staging servers. Both tools are legitimate software that blends with normal IT activity in network logs.
• PDQ Deploy: A legitimate software deployment tool weaponized to distribute malicious batch scripts across multiple endpoints simultaneously. Used to mass-deploy AV disablement scripts, account creation commands, and Safe Mode reboot configuration across entire victim networks in a single operation.

Indicators of Compromise

Key technical indicators from FBI/CISA advisory AA23-284A and supporting vendor research. For the full IOC list from January–May 2023, refer directly to CISA advisory AA23-284A, which includes IP addresses and file hashes not reproduced here.

Mitigation & Defense

Recommended controls for organizations in AvosLocker's target profile, informed by FBI/CISA advisory AA23-284A and incident response findings from Sophos and Trend Micro.

• Patch Known Exploited Vulnerabilities Within 24–48 Hours: AvosLocker affiliates consistently exploited known vulnerabilities in internet-facing systems — Exchange, Zoho ManageEngine, Log4j, Confluence — that had available patches. Treat KEV (CISA Known Exploited Vulnerabilities) catalog entries as emergency patches, particularly for public-facing applications. The FBI/CISA advisory recommends a maximum 24–48 hour patch window for internet-facing systems.
• Restrict and Monitor RDP and Remote Access Services: RDP compromise was a primary initial access vector in affiliate-based AvosLocker intrusions. Disable RDP on systems where it is not required. Require VPN or jump server access for all RDP sessions. Enforce MFA on all remote access mechanisms and monitor for unusual access patterns, particularly access outside business hours or from unexpected geographic locations.
• Application Allowlisting for Remote Access Tools: AnyDesk, Splashtop, PDQ Deploy, Atera Agent, and Tactical RMM were documented as backdoor access vectors. Implement application controls that allowlist only authorized remote access tools and block unauthorized installations. Monitor for unexpected remote access software deployments, particularly those added via PDQ or other deployment tools.
• Block Known Vulnerable Drivers (BYOVD Defense): The aswArPot.sys Avast driver abuse was the first US ransomware use of a Bring Your Own Vulnerable Driver technique. Enable Windows Vulnerable Driver Blocklist (available on Windows 10 and 11 after the April 2022 update). Implement kernel-level protection policies that prevent unauthorized driver loading. Endpoint protection platforms should be configured with tamper protection enabled — Sophos tamper protection specifically blocked AvosLocker batch script attempts to disable Sophos services.
• Protect Against Safe Mode Bypass: AvosLocker reboots systems into Safe Mode to run outside of endpoint security loading order. Configure EDR solutions to operate in Safe Mode where possible. Monitor for and alert on Safe Mode boot events and automatic Safe Mode login configuration registry changes. HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot registry modifications should be treated as high-priority alerts in any environment.
• Detect NetMonitor.exe and Reverse Proxy Tools: Deploy the FBI-developed YARA rule for NetMonitor.exe (available in CISA AA23-284A) to EDR and SIEM platforms. Monitor for processes that establish persistent outbound connections over port 443 to IP addresses (rather than domain names) at regular intervals — NetMonitor sends pings every five minutes. Also monitor for Ligolo and Chisel usage, which leaves identifiable network signatures.
• Credential Hygiene and Privileged Access Management: AvosLocker's hardcoded test account ('newadmin' / 'password123456') is a detectable artifact. Monitor for unexpected local administrator account creation. Implement privileged access management (PAM) and alert on new local admin accounts created on any system. Enforce credential uniqueness policies that would prevent password reuse from IAB-stolen credentials enabling initial access.
• Volume Shadow Copy and Backup Protection: AvosLocker deletes VSS snapshots as a standard pre-encryption step. Implement write-protected offline backups that cannot be reached or deleted by ransomware executing on compromised systems. Monitor for vssadmin delete shadows commands as a near-certain ransomware precursor indicator.
• Network Segmentation for ESXi Environments: The AvosLinux variant specifically targets VMware ESXi hypervisors, where one successful encryption event can destroy dozens of virtual machines simultaneously. Segment ESXi management networks from general corporate networks. Restrict which systems can reach ESXi hosts on management interfaces, and require MFA for all ESXi administrative access.

Sources & Further Reading

Attribution and references used to build this profile.

• CISA / FBI — AA23-284A: #StopRansomware: AvosLocker Ransomware (Update) (Oct 2023)
• Sophos — Avos Locker Remotely Accesses Boxes, Even Running in Safe Mode (Dec 2021)
• Trend Micro — AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4Shell (May 2022)
• Trend Micro — Ransomware Spotlight: AvosLocker (2022)
• Bleeping Computer — AvosLocker Ransomware Reboots in Safe Mode to Bypass Security Tools (Dec 2021)
• Bleeping Computer — Linux Version of AvosLocker Ransomware Targets VMware ESXi Servers (Jan 2022)
• Qualys — AvosLocker Ransomware Behavior Examined on Windows & Linux (2022)
• The Hacker News — FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure (2023)