Last Updated on 12/01/2022 by Nidhi Khandelwal
AvosLocker is the newest ransomware gang to add capabilities for encrypting Linux computers to its recent malware strains, targeting VMware ESXi virtual machines in particular.
While we were unable to determine which targets were targeted by this Linux edition of the AvosLocker ransomware, BleepingComputer is aware of at least one victim who was hit with a $1 million ransom demand.
The AvosLocker gang was also seen advertising its latest ransomware variations, Windows Avos2 and AvosLinux, a few months ago, while cautioning affiliates against attacking post-soviet/CIS sites.
Once installed on a Linux system, AvosLocker will use the following command to shutdown all ESXi machines on the server:
The ransomware will append the.avoslinux extension to all encrypted files once it has been installed on a compromised system.
It also leaves ransom notes instructing victims to avoid shutting down their computers to avoid file corruption and to go to an onion website for further information on how to pay the ransom.
AvosLocker is a newer gang that first emerged in the summer of 2021, soliciting ransomware affiliates to join their newly launched Ransomware-as-a-Service (RaaS) operation on underground forums.
The decision to target ESXi virtual machines is in line with their enterprise customers, who have lately transitioned to virtual machines for better device management and more efficient resource utilization.
In July and August, security experts detected HelloKitty and BlackMatter ransomware Linux variants in the wild, validating Wosar’s claim. In the past, Linux encryptors were used by the Snatch and PureLocker ransomware operations.