AvosLocker is the latest ransomware gang to add Linux system encryption support to its recent malware variants, specifically targeting VMware ESXi virtual machines.
Although we were unable to find which targets were attacked using this Linux variant of the AvosLocker ransomware, BleepingComputer knows of at least one victim who has been hit with a million dollar ransom note.
Several months ago, the AvosLocker gang was also seen advertising their latest ransomware variants, Windows Avos2 and AvosLinux, while making a point of warning affiliates not to attack post-Soviet targets. IEC.
“Our new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance and high encryption compared to its competitors”, the gang noted.
ESXi Virtual Machines Completed Before Encryption
When launched on a Linux system, AvosLocker will shut down all ESXi machines on the server using the following command:
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F $',' 'system("esxcli vm process kill --type=force --world-id=" $1)'
Once it starts working on a compromised system, the ransomware appends the .avoslinux extension to all encrypted files.
It also drops ransom notes asking victims not to turn off their computers to avoid file corruption and to visit an onion site for details on how to pay the ransom.
Security researcher MalwareHunterTeam told BleepingComputer that AvosLocker started using the Linux encryptor from November 2021.
The move from ransomware to Linux
AvosLocker is a newer gang that first surfaced in the summer of 2021, calling on ransomware affiliates on underground forums to join their new Ransomware-as-a-Service (RaaS) operation.
The move to target ESXi virtual machines aligns with their corporate targets, which have recently migrated to virtual machines for easier device management and more efficient use of resources.
By targeting virtual machines, ransomware operators also benefit from easier and faster encryption of multiple servers with a single command.
As of October, Hive ransomware began encrypting Linux and FreeBSD systems using new malware variants, months after researchers spotted a Linux REvil ransomware encryptor targeting VMware ESXi virtual machines.
CTO of Emsisoft Fabien Wosar told BleepingComputer that other ransomware gangs, including Babuk, RansomExx / Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have also created and used their own Linux ciphers.
“The reason most ransomware groups have implemented a Linux version of their ransomware is to specifically target ESXi,” Wosar explained.
Linux variants of the HelloKitty and BlackMatter ransomware were also discovered in the wild by security researchers in July and August, confirming Wosar’s claim. Snatch and PureLocker ransomware operations have also been observed using Linux ciphers in the past.
You can find more information about the AvosLocker ransomware and what to do if you are affected by this ransomware family in our support section.