Also known as: Avos
Category: Malware
Type: Ransomware
Platform: Windows, Linux
Variants: There are AvosLocker variants that are used to target Windows and Linux devices.
Damage potential: Encrypted files, file corruption and loss, data breach, financial loss.
Overview
AvosLocker is a sophisticated ransomware that was first discovered in June 2021 and gained notoriety for its double extortion tactic: AvosLocker is designed to steal and encrypt files on a victim’s computer. The attackers then threaten to release the data to the public unless a ransom is paid. Initially, AvosLocker was created to target Windows devices, but it evolved to include a Linux variant.
AvosLocker uses legitimate remote system administration tools for initial access and further persistence — using open-source software that's considered safe helps the malware avoid detection. Once inside, AvosLocker establishes a backdoor to maintain access and starts harvesting credentials — usernames, passwords, and other authentication data. It later uses these credentials to give itself more privileges and deeper access to the system.
AvosLocker is distributed as Ransomware-as-a-Service (RaaS). What makes it particularly dangerous is that it continues to evolve and expand across multiple critical infrastructure sectors in the United States.
Possible symptoms
The main symptom of an AvosLocker infection is that your files are encrypted. You will also probably see a ransom note appear on your desktop. But before it encrypts your files, there are a few things you may notice happening as AvosLocker infects and takes over your device:
- Your device suddenly becomes very slow.
- You notice more CPU and disk activity.
- You face network connection issues as your data is downloaded.
Sources of the infection
AvosLocker ransomware may spread in many ways:
- Phishing emails are one of the most common methods. You get an email with malicious attachments or links, you interact with them, and your device gets infected.
- Exploit kits are also a hacker favorite, targeting vulnerabilities in software to install the ransomware.
- Compromised Remote Desktop Protocol (RDP) credentials is one of the fastest ways to gain access to a victim's network.
- Drive-by downloads are one of the sneakiest: Malware downloads are initiated without your knowledge when visiting compromised websites.
Protection
Ransomware attacks can have serious consequences for organizations: financial loss, disrupted services, or ruined reputation. Here’s how to protect networks and devices from AvosLocker:
- Update and patch. Regularly update operating systems and software to patch vulnerabilities.
- Back up your data often. Keep regular backups of important data, ideally offline or in the cloud.
- Be wary of phishing emails. Phishing emails are still the most common medium to spread malware. Make sure you don’t open any suspicious emails or attachments.
- Use NordVPN. In addition to securing your connection, NordVPN offers Threat Protection Pro — an advanced feature that blocks your access to malicious websites and checks all the files you download for malware.
Removal
Paying the ransom is not recommended because it does not guarantee the return of your files and encourages the attackers to continue their malicious work.
Try consulting a specialist and use a reputable, paid, and updated antivirus software to try and remove the ransomware. Decrypting your data will require another set of skills entirely, so you will also need to find people specializing in ransomware.
Cybercriminals who use AvosLocker might be good on their word and release your data to the public. In this case, restore everything from backup if you can, and prepare for crisis management.
