Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Category Details References
First Observed June 2021 1
Threat Actors TBD  
Platforms Windows and Linux (EXSi) 2
Extensions .avos
Ransomware Notes GET_YOUR_FILES_BACK.txt 2
Services It Disables Terminates at least 22 named processes 3
Other Observables RaaS payments are only accepted through Monero

In order to execute on safe mode, it adds a RunOnce registry entry under autostart. Further investigation revealed multiple ways AvosLocker can be executed via the RunOnce registry, which are the following:
- Direct execution of the ransomware payload
- Execute a PowerShell script that will download and execute the ransomware payload
-Execute a PowerShell script that will decode and execute the ransomware payload from a disguised .jpg file.

Automatically Gains Access No 3
Automatically Escalates Privileges No  
Requires Human Interaction No. Requires some level of human interaction 5
Automatic Exfiltration No. Adversaries have been observed using rclone 6
Automatic Propagation No. Scans for hidden and/or network shares and attempts to mount/encrypt them, but does not automatically propagte to other desktops/servers 5

Please note, this page was last updated at 2023-03-14 20:21.