Under Attack? Breach Response Hotline: Call

Day 17: AvosLocker Ransomware

Common Attack Vectors

  • Phishing Emails
  • Spam Advertisements

Vulnerabilities Exploited

  • Microsoft Exchange Servers
  • Domain Controller

Industries Targeted Frequently


Threat actors target financial institutions to steal people's names, financial records, social security numbers, and bank accounts.


Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.


Threat actors target legal companies and law firms, stealing their client's confidential information.

Recent Activity

AvosLocker ransomware breached servers in a small city in Ohio, Geneva, stealing files and leaking the information including files directories and courts records on their leak website.

AvosLocker ransomware breached the tech giant, Gigabyte, compromising the motherboard/server maker and stealing sensitive information including business deals with third parties and personally-identifying information (PII) about the company’s employees.

Pacific City Bank, one of the largest Korean American community banks, was breached by AvosLocker ransomware stealing information including tax returns, client’s W-2, and payroll records.

Common File Extensions



Known Alias

No Known Alias

How AvosLocker Ransomware is Distributed

The threat actors manually run the AvosLocker ransomware attempting to remotely access a device or network. When the initial attack is successful, the ransomware maps the accessible drives by listing all the files and selecting certain files for encryption depending on the extensions. Additionally, the ransomware deletes the Shadow Volume Copies of the affected files and terminate specific applications that can interfere with the encryption process. The ransomware will append ‘.avos’ extension to the file’s original name as a new extension upon encrypting the files. Even though the contents are unreadable, there are Base64-encoded blocks added to the files containing RSA-protected AES keys that are used for encrypting the files. A ransom note named, “GET_YOUR_FILES_BACK.txt” is dropped in each attacked directory. Threat actors will increase the ransom amount if the deadline is not met and attempt to blackmail the victims by threatening to dox them. AvosLocker is seeking new affiliates as well as pentester with Active Directory experience and access brokers. AvoLocker is using a partnership program in which they provide affiliates with Windows, Linux and ESXi servers, negotiation assistance, and network resource encryption services.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Translate »

Total Economic Impact™ Of SpearTip ShadowSpear