A Deep Dive into Avos Locker Ransomware
AvosLocker is a ransomware-as-a-service (RaaS) group that appeared in 2021. The malware can run with one of the following parameters: “--help”, “--path”, “--disabledrives”, “--hide”, “--threads”, “--enablesmb”, “--brutesmb”, and “--nomutex.” The ransomware kills a list of targeted processes, deletes all Volume Shadow Copies using two commands, and clears all Windows event logs. The binary can target the logical drives as well as network shares by specifying proper arguments.
The encryption is done using multithreading with I/O completion ports. AvosLocker uses a combination of RSA and Salsa20 algorithms during the encryption process. Finally, the ransomware creates an image based on the ransom note text that is set as the Desktop Wallpaper.