Skip to content

S1053 AvosLocker

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.231

Item Value
ID S1053
Associated Names
Version 1.0
Created 11 January 2023
Last Modified 15 February 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode.3
enterprise T1486 Data Encrypted for Impact AvosLocker has encrypted files and network resources using AES-256 and added an .avos, .avos2, or .AvosLinux extension to filenames.2351
enterprise T1140 Deobfuscate/Decode Files or Information AvosLocker has deobfuscated XOR-encoded strings.2
enterprise T1083 File and Directory Discovery AvosLocker has searched for files and directories on a compromised network.23
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window AvosLocker has hidden its console window by using the ShowWindow API function.2
enterprise T1562 Impair Defenses -
enterprise T1562.009 Safe Mode Boot AvosLocker can restart a compromised machine in safe mode.34
enterprise T1036 Masquerading -
enterprise T1036.008 Masquerade File Type AvosLocker has been disguised as a .jpg file.3
enterprise T1106 Native API AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.2
enterprise T1135 Network Share Discovery AvosLocker has enumerated shared drives on a compromised network.21
enterprise T1027 Obfuscated Files or Information AvosLocker has used XOR-encoded strings.2
enterprise T1027.007 Dynamic API Resolution AvosLocker has used obfuscated API calls that are retrieved by their checksums.2
enterprise T1057 Process Discovery AvosLocker has discovered system processes by calling RmGetList.2
enterprise T1489 Service Stop AvosLocker has terminated specific processes before encryption.2
enterprise T1529 System Shutdown/Reboot AvosLocker’s Linux variant has terminated ESXi virtual machines.3
enterprise T1124 System Time Discovery AvosLocker has checked the system time before and after encryption.2