Avos

Description

First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extortion model—encrypting files and exfiltrating data with threats to leak it publicly. Its affiliates have targeted diverse environments including Windows, Linux, and VMware ESXi, particularly impacting sectors such as education, government, manufacturing, and healthcare across the U.S., Canada, and numerous other countries. Affiliates gain access through phishing emails, exploitation of vulnerabilities (notably Microsoft Exchange ProxyShell/log4j, Zoho ManageEngine), and compromised remote services. Technically, AvosLocker uses AES (with RSA-wrapped keys) for file encryption, often executing in safe mode to bypass security defenses, and directs victims to ransom notes like GET_YOUR_FILES_BACK.txt while changing the desktop wallpaper. Its data leak site operated from mid-2021 until about July–August 2023. No activity has been observed since May 2023.