loader image

rThreat Adversary Spotlight: Avaddon Ransomware

Avaddon Ransomware, also known as Ransom:Win32/Avaddon.PA!MTB(MICROSOFT) and Win32/Filecoder.Avaddon.A trojan(NOD32), primarily attacks Windows machines that are not located in Russia or do not have positive relations with Russian-based companies. Although the overall risk rating and reported infection is low for this strain of ransomware, the damage potential is increasingly high, making it more important than ever to validate if your cyber defenses can prevent these attacks through Breach and Attack Emulation solutions.

Overview of Avaddon Ransomware

First appearing in the wild in 2020, Avaddon is a new strain of ransomware that has been affecting several companies. One of their most popular victims has been the French insurance company AXA, where threat actors stole customer IDs, customer claims, contracts, reports, and more. Some people speculate that this attack may be retaliation for AXA’s decision to “stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.”


Avaddon Ransomware AXA Attack

Source @ hackread.com


Similar to MAZE ransomware, Avaddon has a data leak site where threat actors post the information of any companies that refuse to pay the ransom. Not only do companies lose their data, but their sensitive information will also be posted online for anyone to access. However, this is not the only significant threat that Avaddon poses; in addition to the ransomware, the criminals behind this attack also threaten to carry out Distributed Denial of Service (DDoS) attacks against companies that do not cooperate with their demands. Since Avaddon was initially created back in June 2020, there was originally a free decryptor created online but the creators have since updated their code and that no longer works against this malware.


How Does Avaddon Ransomware Work?

Avaddon is primarily spread via phishing and spam campaigns that deliver malicious JavaScript files. Another alternative point of entry into the system is through malicious sites that automatically download the ransomware to a compromised endpoint. Typically, the phishing emails are not very complex and contain a threat suggesting that the attached file has a compromising photo of the victim in order to convince people to download the file and see if it is legitimate. Some other helpful Avaddon Tactics, Techniques, and Procedures (TTPs) can be found in the MITRE ATT&CK Framework.

When it comes to the malware itself, Avaddon is written in C++ and encrypts data using a unique AES256 encryption key. Once a system is infected, Avaddon checks the operating system language and keyboard layouts. If the victim’s operating system language is set to the specific languages typically used in the Commonwealth of Independent States (formerly the Soviet Union), it ends execution without harming the system. It also uses the “GetUserDefaultLCID()” function to find the machine’s default geolocation and system language to further determine if the system will be targeted. In a situation where the malware decides to execute, once the machine has been infected, the malware will encrypt all  data on the system and display this message:


Avaddon Ransomware Attack Message

Who is Behind Avaddon Ransomware?

The current author of Avaddon is unknown, but given the fact that it ignores users in countries with good relations to Russia, it is suspected to be a Russian-based threat actor group. As mentioned previously, by looking at the OS languages the malware attempts to determine what location the target is in and only targets users who are not a part of the Commonwealth of Independent States (formerly the Soviet Union).


Major Attacks Involving Avaddon

We have a few different public examples of companies that have been targeted by Avaddon to date. AXA Group, a French-based insurance company, was the target of a major incident involving Avaddon. In addition to them, the Melbourne-based service provider, Schepisi Communications, has also been a victim of Avaddon. The information they lost included “tens of thousands” of SIM cards, contracts, banking information, and more.


Avaddon Ransomware Schepisi Communications Attack

Source @ hackread.com


In both of these situations, the target was company data that may or may not belong to individual customers. At this time, it does not seem that the threat actor group is using this information to target individual people, however there is no denying that posting this information online can have a very negative impact on individual customers. However, on June 11th 2021 Avaddon operators announced that they are “shutting down” their operations and released 2,934 private keys of past victims. While this is good news for existing victims, it’s also not uncommon for threat groups to “shut down” and go through a rebranding phase to emerge once again and resume their operations under a new name with different malware.


Ransomware Prevention Methods

Now that we have a good understanding of what this threat is and how it works, let’s dive into the basics on how you can prevent an Avaddon ransomware attack. The first thing to focus on is email security, since this malware spreads primarily via phishing campaigns. It is important that you have an email solution that can scan email attachments to identify and block malware. It is also important that you teach users the importance of looking at emails carefully before downloading attachments and teaching them how to spot phishing emails.

Second, you want to make sure you have regular offsite backups of any important company information. This way if you are hit with ransomware, you can recover your data without needing to pay the ransom. Third, you want to make sure you have good network segmentation. This way, if one device contracts the malware it will be more difficult for it to spread to other machines on the network. You can also refer to the CISA Ransomware Guide for more detailed information on how to prevent ransomware attacks.

If you are in a situation where you have already been infected by Avaddon, then you should isolate the machine by removing its connection to the Internet and the internal network. Do not power off the machine, or you may lose valuable information in the computer memory, which will be important later on when it is time to do computer forensics. Simply unplug the network cable so that it cannot communicate with anything else on the network. You should also scan your entire network with an anti-malware solution that is capable of detecting Avaddon so that you can identify any other machines that may have been infected but have not been instructed to start encrypting the machine yet. If you are a victim and want to know if your files can be decrypted, you can also use the Emsisoft Decryptor for Avaddon. 


The Importance of Continuous Security Validation

If you really want to make sure you’re protected in the event of a ransomware attack, you need to test your cyber defenses on a continuous basis. rThreat’s breach and attack emulation platform contains a library of newly released malware that can be used to test your environment’s defenses for those malware variants before you are attacked. Right now, rThreat has Avaddon variants in our library for testing purposes that can help ensure you’re protected from this type of ransomware. Our platform not only validates the effectiveness of security tools and processes, but it can also be used to run drills with your security team so they’re trained on how to rapidly detect and respond to this type of ransomware attack. If you would like to try a demo of rThreat’s solution, contact our team here.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.