AvosLocker Ransomware's Linux Version is Designed to Infect VMware ESXi Servers

AvosLocker Ransomware’s Linux Version is Designed to Infect VMware ESXi Servers

AvosLocker is the newest ransomware gang to add capabilities for encrypting Linux computers to its recent malware strains, specifically VMware ESXi virtual machines. While the AvosLocker ransomware Linux variant could not locate the targeted devices, at least one victim received a $1 million ransom demand.

A few months ago, the AvosLocker gang was also observed advertising its latest ransomware variations, Windows Avos2 and AvosLinux, while cautioning affiliates against attacking post-soviet/CIS sites.

“Out new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance & high amount of encryption compared to its competitors,” the gang said.

Once installed on a Linux system, AvosLocker will use the following command to shut down all ESXi machines on the server:

esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’

The ransomware will append the .avoslinux extension to all encrypted files after being installed on a compromised device. It also leaves ransom notes instructing victims to avoid shutting down their computers to prevent file damage and go to an onion website for further information on how to pay the ransom.

AvosLocker is a new gang that first emerged in the summer of 2021, soliciting ransomware affiliates to join their newly established Ransomware-as-a-Service (RaaS) business on underground forums. The decision to target ESXi virtual machines is in line with their enterprise customers, who have lately transitioned to virtual machines for better device management and more effective resource use.

By focusing on virtual machines, ransomware authors may more easily and quickly encrypt many servers with a single command. Since October, hive ransomware has been encrypting Linux and FreeBSD computers with new malware versions, only months after researchers discovered a REvil ransomware Linux encryptor that targets VMware ESXi VMs.

According to Emsisoft CTO Fabian Wosar, other ransomware gangs, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have designed and employed their own Linux encryptors.

“The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” Wosar clarified.

In July and August, security experts detected HelloKitty and BlackMatter ransomware Linux versions in the wild, validating Wosar’s claim. In the past, Linux encryptors were used by the Snatch and PureLocker ransomware operations.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.