Malware

AvosLocker ransomware now targets Linux systems, including ESXi servers

AvosLocker is the latest ransomware that implemented the capability to encrypt Linux systems including VMware ESXi servers.

AvosLocker expands its targets by implementing the support for encrypting Linux systems, specifically VMware ESXi servers, Bleeping computed reported.

“While we couldn’t find what targets were attacked using this AvosLocker ransomware Linux variant, BleepingComputer knows of at least one victim that got hit with a $1 million ransom demand.” reported BleepingComputer. Security researcher MalwareHunterTeam confirmed that the ransomware gang is using the Linux encryptor since November 2021.

Other ransomware operations supporting Linux and ESXi servers are RansomExx/DefrayMespinozaHelloKitty, and Babuk. Linux-based versions of popular ransomware allow gangs to target a broad range of organizations, especially those using ESXi servers.

AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.

According to BleepingComputer, upon execution AvosLinux terminates all ESXi machines on the server then it starts encrypting files.

The AvosLocker ransomware appends the .avoslinux extension to the filenames of all the encrypted files, then drops ransom notes in each folder containing the encrypted files.

The AvosLocker ransomware-as-a-service recently emerged in the threat landscape and its attacks surged between November and December. In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode to disable endpoint security solutions.

At the end of December, the AvosLocker ransomware operators released a free decryptor after they accidentally encrypted the system of US Government entity.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AvosLocker)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

3 hours ago

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

9 hours ago

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

14 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago