An infringement incident presumed to be in the form of AvosLocker ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

AvosLocker ransomware

The ransomware in question is called AvosLocker and has a filename.extension. It appears that all files are being changed with avos2.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is written in C++ and deletes the <Delete shadow copies (vssadmin and wmic) / Disable recovery mode / Turn off error recovery notification window display > commands frequently used by ransomware to prevent mutex duplication, and also deletes the Windows event log. When encryption is in progress, information about the operation is displayed in the console, and additional arguments for changing options are also supported.

  
  [Figure 3 Dynamic code for mutex creation to prevent duplicate execution]

  
  [Figure 4 String allocated for command]

  
  [Figure 5 Console contents displayed during execution]

  
  [Figure 6 Argument information available in CMD]

Infection results

The guide file is created as <GET_YOUR_FILES_BACK.txt> in each path, and when encryption is performed, <file name.extension. After changing the files with avos2>, change the desktop when complete.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

Watch AvosLocker blocking video