S1053: AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]
Analyst context for executives and security teams
AvosLocker matters because it represents ransomware behavior tied to direct availability risk on Windows and Linux environments. The ATT&CK relationships show more than encryption: discovery of files, processes, time, and network shares; stealth and masquerading; persistence via Windows Run Keys or Startup Folder; service stopping; reboot/shutdown activity; and Windows Safe Mode abuse that can weaken endpoint defenses. For leaders, this is a business continuity and incident readiness issue, not only a malware-signature issue.
Executive priority
Prioritize validation of ransomware resilience: recoverability of critical systems, visibility across Windows and Linux hosts, protection of shared storage, and response procedures for service disruption. Because the official ATT&CK description cites use against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors as of 2022, organizations in operationally sensitive sectors should ensure ransomware tabletop exercises, backup evidence, and SOC escalation paths cover encryption, service stoppage, and endpoint defense impairment scenarios.
Technical view
SOC and IR teams should map AvosLocker-relevant coverage to the supplied ATT&CK relationships: obfuscated or masqueraded files, dynamic API resolution on Windows, native API use, process/file/network share discovery, deobfuscation behavior, encryption for impact, service stop, shutdown/reboot, Run Key or Startup Folder persistence, hidden windows, and Safe Mode boot abuse. MITRE provides no official detection text for this object, so validation should be behavior-led rather than dependent on a named malware analytic.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- File creation, rename, extension, header/magic-byte mismatch, and high-volume file modification telemetry
- Registry monitoring for Windows Run Keys and Startup Folder changes
- Service control events, including service stop or disable activity
- System shutdown, reboot, and boot configuration events, including Safe Mode indicators on Windows
Detection direction
- Validate behavior chains rather than single indicators: discovery of files/shares followed by service stoppage or high-volume file modification is more actionable than any one event alone.
- Tune for false positives from legitimate administration, backup tools, software deployment, and maintenance windows, especially for service stop, reboot, registry startup entries, and share enumeration.
- Confirm Windows-specific coverage for Run Keys/Startup Folder, dynamic API resolution-related detections where available, hidden window behavior, and Safe Mode boot attempts.
- Confirm Linux coverage is not limited to Windows ransomware assumptions; the object explicitly lists Linux and Windows platforms.
- Because official detection guidance is not provided, use the cited external references for indicators and enrich them with local behavioral analytics and incident findings.
Mitigation priorities
- Sequence controls around resilience first: tested offline/immutable backups, restoration evidence, and recovery priorities for critical services and shared data.
- Harden and monitor administrative paths that can stop services, reboot systems, alter startup locations, or enumerate shares.
- Ensure endpoint defenses and logging remain available after reboot scenarios and that teams can identify cases where security tooling fails to start, including Safe Mode-related conditions on Windows.
- Reduce blast radius through least privilege, segmentation around critical shares, and controlled access to high-value file repositories.
- Maintain incident response playbooks for ransomware impact behaviors: isolation, preservation of evidence, service restoration, and executive decision workflows.
Analyst notes and limits
This take is based only on the supplied ATT&CK S1053 object, its official description, external references, and listed relationships. The most decision-relevant relationships are impact and defense-impairment behaviors: Data Encrypted for Impact, Service Stop, System Shutdown/Reboot, and Safe Mode Boot. The discovery and stealth relationships explain why early detection may depend on endpoint and file/share visibility before encryption becomes obvious.
MITRE does not provide official detection text, aliases, labels, or explicit tactics for the malware object itself in the supplied fields. Technique relationships provide behavioral context but do not prove those behaviors will occur in every incident. Local telemetry, asset criticality, backup architecture, and control configuration are required to determine actual exposure and coverage.
AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | AvosLocker has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1688 | Safe Mode Boot | AvosLocker can restart a compromised machine in safe mode.CitationTrend Micro AvosLocker Apr 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | AvosLocker has encrypted files and network resources using AES-256 and added an `.avos`, `.avos2`, or `.AvosLinux` extension to filenames.CitationMalwarebytes AvosLocker Jul 2021CitationTrend Micro AvosLocker Apr 2022CitationCisco Talos Avos Jun 2022CitationJoint CSA AvosLocker Mar 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | AvosLocker has been executed via the `RunOnce` Registry key to run itself on safe mode.CitationTrend Micro AvosLocker Apr 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | AvosLocker has deobfuscated XOR-encoded strings.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | AvosLocker has used obfuscated API calls that are retrieved by their checksums.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1083 | File and Directory Discovery | AvosLocker has searched for files and directories on a compromised network.CitationMalwarebytes AvosLocker Jul 2021CitationTrend Micro AvosLocker Apr 2022 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | AvosLocker has been disguised as a .jpg file.CitationTrend Micro AvosLocker Apr 2022 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | AvosLocker has hidden its console window by using the `ShowWindow` API function.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1489 | Service Stop | AvosLocker has terminated specific processes before encryption.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1135 | Network Share Discovery | AvosLocker has enumerated shared drives on a compromised network.CitationMalwarebytes AvosLocker Jul 2021CitationJoint CSA AvosLocker Mar 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | AvosLocker has used XOR-encoded strings.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1124 | System Time Discovery | AvosLocker has checked the system time before and after encryption.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1057 | Process Discovery | AvosLocker has discovered system processes by calling `RmGetList`.CitationMalwarebytes AvosLocker Jul 2021 |
| Enterprise | T1529 | System Shutdown/Reboot | AvosLocker’s Linux variant has terminated ESXi virtual machines.CitationTrend Micro AvosLocker Apr 2022 |
Groups, software, and campaigns
C0018: C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fa2afd65c745… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes AvosLocker Jul 2021
Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
Open source URL -
[2]
Trend Micro AvosLocker Apr 2022
Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
Open source URL -
[3]
Joint CSA AvosLocker Mar 2022
FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.
Open source URL -
[4]
mitre-attack S1053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.