According to various online news sources, a ransomware gang has added support to their ransomware to encrypt the Linux systems. The new variants are specifically targeting VMware ESXi virtual machines. The AvosLocker gang’s latest ransomware variants are the Windows Avos2 and AvosLinux. Various online news sources also claim that at least one victim who suffered the attack got hit with a $1 million ransom demand.
High performance and high amount of encryption
AvosLocker is also promoting its malware online, claiming that it is one of the fastest in the market. It offers high performance and a high amount of encryption compared to its competitors. AvosLocker gang also claims that the malware is getting regular updates based on the feedback, and attacking post-soviet/CIS is not allowed. Security researchers state that AvosLocker began using the malware in November of 2021.
AvosLocker🐞 advertising their latest variants (avos2 / avoslinux) pic.twitter.com/4a1Sb8XQqJ
— панкейк (@pancak3lullz) October 29, 2021
AvosLocker terminates ESXi machines on the server when launched on a Linux system by using the command:
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F $',' '{system("esxcli vm process kill --type=force --world-id=" $1)}'
It can operate successfully and then appends the .avoslinux extension to all encrypted files. The ransom note states that shutting down the computer can cause file corruption and a .onion link that includes the information about paying the ransom.
Targeting the virtual machines allows the gang to attack multiple servers with a single command. Since it attacks ESXi virtual machines, AvosLocker mainly targets enterprise customers.