Cyber Threat Actor: Avos Locker
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
25 incidents |
|---|
Profile
Avos Locker, also known as AvosLocker, operates as a ransomware group with suspected ties to Russia. The group engages in financially motivated cyberattacks, primarily employing data exfiltration and double extortion tactics to pressure victims into paying ransoms. Their operations frequently target educational institutions, healthcare providers, and financial organizations, with a notable focus on U.S.-based entities. Avos Locker leverages stolen data as collateral, threatening public leaks via dedicated dark web sites to amplify extortion pressure. The group’s activities align with a ransomware-as-a-service (RaaS) model, involving affiliates who execute attacks while sharing proceeds with the core team.
Avos Locker demonstrates adaptability in its tactics, including the hijacking of emergency communication systems to bypass institutional control. In the April 2023 Bluefield University attack, they compromised the RamAlert system to send threatening messages directly to students and staff—a novel method to prevent victim organizations from downplaying breaches. The group typically exfiltrates sensitive data such as tax documents (W-2 forms), student admissions records, and protected health information, which they partially leak as proof of compromise. Healthcare targets have included pediatric and behavioral health providers, such as Methodist Family Health, where stolen data involved treatment details and medication records. Financial institutions like Pacific City Bank have also been breached, with attackers criticizing the bank’s security posture while leaking financial documents.
Attribution to Russia is publicly cited but lacks explicit evidence of state sponsorship. Avos Locker’s criminal consortium structure allows for scalable operations, as seen in incidents where affiliates targeted vulnerable sectors like children’s healthcare. The group avoids encrypting networks in some cases, focusing solely on data theft to extort victims, as observed in the 2022 Savannah College of Art and Design breach. High-impact campaigns include the February 2023 California Northstate University attack, where employee tax forms containing Social Security numbers and salaries were leaked, and the May 2022 CHRISTUS Health breach, which exposed COVID-19 patient data and surgical schedules. While Avos Locker occasionally removes victims from leak sites—as with Methodist Family Health—the motives remain unclear, with no confirmed correlations to ransom payments or ethical reconsiderations. Their operations underscore a persistent threat to sectors handling sensitive personal and financial data.
