AvosLocker ransomware gang has added AvosLinux in its arsenal for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. However, there are no details available regarding the targeted company or institutions, it is alleged that at least one victim received a $1 million ransom demand.
A few months ago, the AvosLocker gang was also spotted advertising its latest ransomware variations, Windows Avos2 and AvosLinux, while alerting affiliates against attacking post-soviet/CIS targets.
"Out new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance & high amount of encryption compared to its competitors," the gang said.
Upon installation on a Linux system, AvosLocker terminates ESXi machines on the server using the following command: esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
Once it starts operating on a compromised device, the ransomware will append the .avoslinux extension to all encrypted files. It also leaves ransom notes asking victims not to shut down the computer to avoid file damage and to visit the TOR site that includes the information about paying the ransom.
The AvosLocker ransomware-as-a-service was first identified during the summer of 2021 and its attacks surged between November and December. In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode for easier device management and more efficient resource usage.
By targeting virtual machines, ransomware authors also benefit from easier and faster encryption of multiple servers with a single command. Since October 2021, Hive ransomware has been encrypting Linux and FreeBSD systems with new malware variants, only months after cybersecurity researchers uncovered a REvil ransomware Linux encryptor targeting VMware ESXi virtual machines.
According to Emsisoft CTO Fabian Wosar, multiple ransomware operators including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have also designed and used their own Linux encryptors.
"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar explained.
HelloKitty and BlackMatter ransomware Linux variants were also identified in the wild by security experts in July and August, further validating Wosar's statement. The Snatch and PureLocker ransomware operations have also been observed using Linux encryptors in the past.