Deep-Dive Analysis of Avos Locker Ransomware by Mila Bera


The days of silly malware that spewed annoying but ultimately harmless insults like that legendary “You are an idiot” trojan are behind us. Hackers are now going after the jugular, trying to strongarm as many victims as possible into handing them over money, preferably in the form of some cryptocurrency. This is the age of ransomware.

These types of malware waste no time. Once in a computer system, they systematically lock data until the computer becomes almost unusable. At that point, a ransom note pops up on the unfortunate user’s computer, notifying them of the attack and the payment details. If a victim doesn’t pay up, they can kiss their files goodbye. The encryption used on ransomware is too strong to brute force, and only the hackers hold the keys. That is if they’re even willing to spare their victims in the first place.

The Rise of Avos Locker

Each ransomware app works a bit differently from the others. A more recent one, called Avos Locker, or AvosLocker as it’s often written, is especially annoying. It is a Ransomware-as-a-service (RaaS), meaning that the developers sell its code to whoever’s interested to create more variants of this ransomware.

The first mention of Avos Locker and, thus, its developer Avos was in early July of 2021. A post on a dark web forum Dread, advertised the ransomware, emphasizing the customized negotiation and extortion processes to its customers. A similar thread has also appeared on the Russian hacking forum XSS, where Avos was trying to recruit more hackers into their team.

Initially, the ransomware was made to target Windows machines specifically. Later on, it was expanded to target Linux, too, becoming a significant danger to computer systems worldwide. Its activity spiked in late 2021 and continued into 2022.

How Avos Locker Works

Like many ransomware apps before it, Avos Locker gets into a computer system via a file attached to a spam email. It starts slowly by renaming files and adding the “.avos” extension. The victim is unable to either rename the files or open them in any way. Once it’s done with a folder, the ransomware will leave a file called GET_YOUR_FILES_BACK.txt containing the following ransom note:

Obviously, we’ve obfuscated any harmful information in this document.

The way Avos Locker avoids anti-malware apps is especially interesting and troublesome - it runs from Safe Mode, unlike most security products. Therefore, it can go completely undetected until it’s too late.

Not only that, but it modifies the Safe Mode boot file and installs AnyDesk, a remote desktop application. Since the malware employs batch scripts to execute its processes and gather the target’s files, the group also installs PDQ Deploy, commercial software for system management that allows running batch operations on a Windows machine.

While both of these apps get onto the target system before the boot into Safe Mode, PDQ Deploy executes before the reboot, preparing the system for the whole operation. It disables anti-malware apps and Windows Update by deleting registry files, creating a new user, and setting the machine to automatically log onto that account, bypassing any legal notices and required inputs.

The final two scripts execute ransomware from a remote file server and then boot the machine back into the standard OS environment, where the malware continues to operate uninhibited.

But why AnyDesk? The app lies dormant, and the attacker will boot it up only if the ransomware runs into any execution problems. So, even if a computer system has managed to defend itself by running everything manually, bad actors can force the ransomware onto their targets. In some instances, a spyware tool is also installed on victims’ computers, harvesting login IDs, crypto wallet data, and credit card information.

Unlocking the Files

A ransom note stored in folders affected by the Avos Locker ransomware contains two pieces of information - the address of the website the victim is supposed to visit and a unique ID they need to provide. The ransom amount isn’t mentioned anywhere in the document. Instead, once the target enters their ID on the payment portal of the bad actor’s website, they’ll see the complete payment details and the amount required.

Like other ransomware attacks, this one also includes the sale of gathered data if the victims fail to pay the requested amount. In fact, that same website hosts the list of victims and offers direct purchases of harvested data, along with the affiliate program through which other ill-meaning scammers can purchase the tools and spread the ransomware even further.

Removing Avos Locker

Currently, there’s no publicly available tool to help you decrypt the infected data on your own. That means that the victims of an Avos Locker attack need to either pay up or say goodbye to their files. Paying the ransom is never advised. Not only is that a sign of giving up against the hackers, but there’s absolutely no guarantee that you’ll get proper decryption tools even after you pay. In more than a few cases, victims lost both money and access to their files permanently.

Instead, you should be looking to get rid of the malware and then restore any backups you have on your computer. If you’re restoring to a more recent backup, always make sure to run several anti-malware scans to ensure there aren’t any traces of the ransomware and its utility apps left.

Final Thoughts

The best practice when it comes to ransomware is to not get infected in the first place. The first step is to ignore any spam emails, especially those with suspicious attachments coming from unknown sources. Next up is having security measures in place, such as VPNs and antivirus apps with real-time protections. VPNs out of 14 Eyes jurisdiction are a great start, along with password managers with cloud backup.

Lastly, do not panic even if the ransomware somehow gets into your computer system. That’s exactly what the hackers want, and making rash decisions will only make the situation worse.


Passionate Blogger with experience in the tech, finance and SEO industry. In love with research and a faithful follower of the latest and trending topics. Not afraid to jump out of my comfort zone and discover new markets and ways to portray them and share them with my readers.

May 5, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023