AvosLocker Ransomware

By CagedTech in Ransomware

Translate To:

Infosec researchers uncovered a new ransomware operation that they named AvosLocker. The hacker group appears to have become active around June 2021 and in just a couple of months has managed to rack up several victims. The cybercriminals release the names of their victims on a dedicated leak site hosted on the Tor network. The site contains two sections - 'Public Service Announcements' and 'Leaks.' All breached entities alongside proof of the data collected from them are displayed under the 'Public Service Announcement' page. The AvosLocker group is using spam email campaigns disseminating bait emails, as well as corrupted advertisements as initial infection vectors for the delivery of the ransomware threat.

AvosLocker Ransomware's Details

The deployed ransomware threat is written in C++ and utilizes a customized version of the AES-256 cryptographic algorithm to lock the files stored on the breached systems. The malware is designed to infect Windows machines and will not execute on other platforms. As part of its threatening capabilities, the AvosLocker Ransomware can delete the Shadow Volume Copies of the affected files, as well as terminate specific applications that may interfere with the encryption process. Upon encrypting a file, AvosLocker appends '.avos' to that file's original name as a new extension. Like most threats of this type, the AvosLocker Ransomware also delivers a ransom note with instructions for its victims. The message is dropped as a text file named 'GET_YOUR_FILES_BACK.txt.'

AvosLocker's Demands

As it turns out, the ransom note itself contains little useful information. It mostly just encourages the victims of the threat to visit a TOR website to get all the additional instructions. Following the provided link and entering the specific victim ID, leads to a 'payment' page. Here, victims are able to see a countdown timer that measures the remaining time before the sum demanded by the hackers gets doubled. The ransom needs to be transferred using the Monero cryptocurrency.

However, before paying, victims can upload a sample file to the site to test the hacker's ability to decrypt the locked data. The Web page also includes a support chat through which affected users can supposedly contact the AvosLocker hackers.

Paying any amount of money to ransomware operators is strongly discouraged. Users could be exposing themselves to additional security risks while funding the next threatening operation of the cybercriminals in the process.

1 Comment

Alfredo 2 years ago Reply

Hello, good afternoon, I'm from Mexico, and my computer was infected by Ramsonware and I can't recover my files. The extension that I generated was the +++ "file.docx.gujd" +++ and I hope you can help me, just for the moment I say goodbye to you and send you a cordial greeting.

SINCERELY:

Alfred

Hola buenas tardes soy de Mexico, y mi computadora fue infectado por un Ramsonware y no puedo recuperar mis archivos la extencion que me genero fue el +++"archivo.docx.gujd"+++ y espero que puedan ayudarme, sin mas por el momento me despido de ustedes y les mando un cordial saludo.

ATENTAMENTE:

Alfredo

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

AvosLocker Ransomware

1 Comment

Submit Comment

Trending

Safe Search Eng

Findtheirreport.com

MarioLocker Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen