The AvosLocker ransomware gang is back in headlines for revamping its arsenal. The threat actors have added a new module for encrypting Linux systems. 

AvosLocker becomes the latest to target VMware ESXi

  • According to Bleeping Computer, the gang has revealed a new Linux version of AvosLocker, active since November 2021, that specifically targets VMware ESXi virtual machines. 
  • Once launched on a Linux system, the ransomware terminates all ESXi machines on the server using specific commands.
  • Post-encryption, the ransomware appends the .avoslinux extension to all encrypted files. 
  • Later, it drops ransom notes asking the victims not to shut down their computers to avoid file corruption. The affected victims are prompted to visit an onion site for more details on how to pay the ransom. 

What does this indicate?

  • While alarming, AvosLocker targeting virtual machines is not surprising. In the past years, several other ransomware groups had already adopted the tactic to encrypt Linux systems.
  • This includes Hive, Babuk, RansomExx, Pysa, GoGoogle, DarkSide, HelloKitty, and BlackMatter.
  • This recent move to target ESXi virtual machines is primarily attributed to organizations shifting their infrastructure to VMware VMs and hybrid clouds.  
  • By targeting the VMs, the ransomware operators also take advantage of easier and faster encryption of multiple servers with a single command.

AvosLocker remains strong since its inception

  • Ever since it first appeared in July 2021, the AvosLocker ransomware has come under the lens of security researchers.
  • Towards the end of December 2021, the ransomware actors added a new evasion tactic by booting Windows systems into Safe Mode.   
  • The year 2022 saw the first AvosLocker ransomware attack that targeted the systems of a U.S. police department but later released a free decryptor to unlock the encrypted files. 


Although there is currently no information about the new AvosLinux variant targeting private companies or government institutions, Bleeping Computer notes that a ransom of $1 million was demanded from one of the victims. Security analysts and admins are advised to stay alert against suspicious activities inside of their network and take proactive actions to counter potential threats.

Cyware Publisher