US and Australian Authorities Warn of Increasing Avaddon Ransomware Attacks

You are currently viewing US and Australian Authorities Warn of Increasing Avaddon Ransomware Attacks

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of a new malware campaign centered around Avaddon Ransomware. The campaign is targeting a diverse number of sectors within the US and globally. The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations worldwide.

The ACSC has expanded on the FBI’s report, pointing to other sectors Avaddon Ransomware’s affiliates are targeting. These include government, finance, law enforcement, energy, information technology, and health. The ACSC also provided names of several countries being attack, including the US, UK, Australia, Germany, China, Brazil, India, UAE, France, and Spain.

“The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors. The ACSC is aware of several instances where the Avaddon ransomware has directly impacted organizations within Australia.” the group said in their report.

Avaddon Ransomware
Avaddon Ransomware targets according to the ACSC report

The ACSC report also claimed that individuals using Avaddon Ransomware were threatening victims with denial-of-service (DDoS) to persuade them into paying ransoms. However, the FBI stated there is no evidence of hackers using DDOS attacks after infection in the campaign.

The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom.

Avaddon Ransomware
Avaddon Ransomware DDOS Threats

Avaddon Ransomware was first reported on in February 2019. In June 2020, it began recruiting affiliates with a spam campaign that targeted potential customers globally. The creators aimed to achieve mass adoption by malware distributors, hackers, and others involved in the cybercrime world.

Affiliates who join this RaaS operation are responsible for compromising networks to deploy payloads or distribute the ransomware via spam or exploit kits. At the same time, its operators are accountable for developing the malware and operating the TOR payment site.

The Avaddon RaaS operation also asks affiliates to follow a set of rules, one of them being not to go after targets from the Commonwealth of Independent States (CIS).

The group behind Avaddon pay affiliates a 65% cut of the ransom bounties, while they group get 35%.

As with other MaaS and RaaS programs, larger customers can negotiate a more favourable profit distribution.

The average payment demanded in an Avaddon Ransomware infection is 0.73 bitcoin, or $41,000. In exchange, the victim receives the Avaddon General Decryptor to restore their files.

Avaddon ransomware affiliates are also known for stealing data from their victims’ networks before encrypting systems for double-extortion. This tactic has become more common in the last two years, with nearly all mainstream ransomware operations adopting it.

Avaddon Ransomware Analysis

BazarLoader

The analysis of Avaddon Ransomware was provided by TrendMicro.

Avaddon Ransomware was initially detected as Ransom.Win32.AVADDON.YJAF-A. A trojan (detected as Trojan.JS.AVADDON.YJAF-A) downloads the ransomware from malicious sites and runs them on the system. This has been reported in a series of twitter posts by TMMalAnalyst.

The ransomware is propagated through emails with an attachment named IMG{6 random number}.jpg.js.zip that contains a JavaScript file named IMG{6 random number}.jpg.js.

Avaddon Sample Email

As seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign also follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users, thus prompting them to open the message and download the attachment. Most of these emails have photo-related subjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now become widely available. These subjects include “Look at this photo!”, “You look good here”, “Is this you?” and similar enticing lines.

After the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload. After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s wallpaper has been automatically changed to an image that states that “all your files have been encrypted” and refers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}{random numbers}-readme.html format).

Victims wallpaper after infection

The ransom note gives instructions on how the affected user can recover the encrypted files.

Note left by Avaddon Ransomware

This ransomware encrypts files found in the following folders:

  • Program Files\Microsoft\Exchange Server
  • Program Files (x86)\Microsoft\Exchange Server
  • Program Files\Microsoft SQL Server
  • Program Files (x86)\Microsoft SQL Server


It adds the following processes that deletes backup copies of the system, making it difficult to restore:

  • wmic.exe SHADOWCOPY /nointeractive
  • wbadmin DELETE SYSTEMSTATEBACKUP
  • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • bcdedit.exe /set {default} recoveryenabled No
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • vssadmin.exe Delete Shadows /All /Quiet

It terminates services and processes, many of which are related to scanning, storing and retrieving files, and scheduling tasks.

Protection

The attack vector for Avaddon Ransomware is extremely common – A phishing email intended to trick the user into opening a file. It is important that business owners and family’s exercise caution when it comes to opening emails from unknown senders, and that employees and family members are educated to understand the risks of cybersecurity.

Sometimes phishing emails will be successful, no matter how well the human is trained to spot them. To avoid falling into this trap, use SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply