Skip to main content

Operator dossier

Avoslocker (also tracked as Avos) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 70 public victims claimed by this operator between June 13, 2021 and February 11, 2023. **Overview**: AvosLocker is a financially motivated ransomware group that emerged in June 2021, operating as both a Ransomware-as-a-Service (RaaS) platform and conducting direct attacks against organizations worldwide. The group has demonstrated sophisticated capabilities and has targeted over 70 victims across multiple critical sectors. **Origin & Affiliation**: While the exact country of origin remains unclear, AvosLocker operates as a RaaS model, recruiting affiliates to conduct attacks using their ransomware payload and infrastructure. The group has shown no clear ties to state-sponsored activities, appearing to be purely profit-driven cybercriminals. **Attack Methodology**: AvosLocker typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials, VPN vulnerabilities, and phishing campaigns, subsequently deploying tools like Cobalt Strike for lateral movement and persistence. The group employs double extortion tactics, stealing sensitive data before encrypting systems and threatening to publish the information on their leak site if ransom demands are not met. Their ransomware uses strong encryption algorithms and includes capabilities to terminate security processes and delete shadow copies to prevent recovery. **Notable Campaigns**: The group has particularly targeted critical infrastructure sectors including education, manufacturing, finance, healthcare, and transportation, with significant attacks reported against organizations in the United States, Germany, Singapore, Canada, and France. CISA and FBI have issued joint advisories warning about AvosLocker's targeting of critical infrastructure, highlighting the group's impact on essential services. **Current Status**: As of recent threat intelligence reporting, AvosLocker remains active, continuing to recruit affiliates and conduct ransomware operations against organizations globally.

Most-targeted sectors

Most-affected countries

Recent disclosures by Avoslocker

All 70 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Avoslocker

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Avoslocker

aka Avos · 70 victims indexed · first seen 5 years ago · last activity 3 years ago

70
Victims indexed
#91 of 364 tracked operators
1y 8m
Active period
Jun 2021 → Feb 2023
14
Countries hit
top United States · 30

At a glance

Status
inactive
Aliases
Avos
First seen
5 years ago
Last activity
3 years ago
Onion sites
4 known endpoints
Primary sector
Education · 9 hits

About

**Overview**: AvosLocker is a financially motivated ransomware group that emerged in June 2021, operating as both a Ransomware-as-a-Service (RaaS) platform and conducting direct attacks against organizations worldwide. The group has demonstrated sophisticated capabilities and has targeted over 70 victims across multiple critical sectors. **Origin & Affiliation**: While the exact country of origin remains unclear, AvosLocker operates as a RaaS model, recruiting affiliates to conduct attacks using their ransomware payload and infrastructure. The group has shown no clear ties to state-sponsored activities, appearing to be purely profit-driven cybercriminals. **Attack Methodology**: AvosLocker typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials, VPN vulnerabilities, and phishing campaigns, subsequently deploying tools like Cobalt Strike for lateral movement and persistence. The group employs double extortion tactics, stealing sensitive data before encrypting systems and threatening to publish the information on their leak site if ransom demands are not met. Their ransomware uses strong encryption algorithms and includes capabilities to terminate security processes and delete shadow copies to prevent recovery. **Notable Campaigns**: The group has particularly targeted critical infrastructure sectors including education, manufacturing, finance, healthcare, and transportation, with significant attacks reported against organizations in the United States, Germany, Singapore, Canada, and France. CISA and FBI have issued joint advisories warning about AvosLocker's targeting of critical infrastructure, highlighting the group's impact on essential services. **Current Status**: As of recent threat intelligence reporting, AvosLocker remains active, continuing to recruit affiliates and conduct ransomware operations against organizations globally.

References

38 links

External sources curated by the MISP threat-intel community.

Timeline

6 months
2021-06-01T00:00:00+00:00 · 32021-08-01T00:00:00+00:00 · 82021-09-01T00:00:00+00:00 · 82022-12-01T00:00:00+00:00 · 412023-01-01T00:00:00+00:00 · 12023-02-01T00:00:00+00:00 · 9
2021-06-01T00:00:00+00:002023-02-01T00:00:00+00:00

Top countries

🇺🇸 United States
30
🇨🇦 Canada
4
🇮🇩 Indonesia
2
🇬🇧 United Kingdom
2
🇪🇸 Spain
2
🇮🇳 India
1
🇫🇷 France
1
Botswana
1

Top sectors

Education
9
Technology
8
Manufacturing
8
Healthcare
6
Business Services
5
Energy & Utilities
4
Finance
3
Construction
3

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1055Process Injection
  • T1486Data Encrypted for Impact

Detection · YARA rules

1 rule
  • Ransom_AvosLocker

    YARA rule from ATR/Trellix: ransomware/RANSOM_Avoslocker.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

4 known
  • http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
  • http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
  • http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion/
  • http://avos2fuj6olp6x36.onion

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Avoslocker posts a victim.

Add Avoslocker to your watchlist — Pro pings you within 5 minutes of any new Avoslocker leak-site post, Telegram callout, or affiliate-rebrand inference.