The FBI has received notifications of unidentified cyber actors using Avaddon ransomware against US and foreign private sector companies, manufacturing organizations, and healthcare agencies. Avaddon ransomware was first advertised on Russian-language hacking forums as a ransomware-as-a-service (RaaS).
Avaddon ransomware actors have compromised victims through remote access login credentials [e.g., remote desktop protocol (RDP) and virtual private network (VPN)] with single-factor authentication or improperly configured RDP. After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in the Commonwealth of Independent States (CIS).
Avaddon ransomware actors not only encrypt victims’ data for a ransom but also exfiltrate data from their victims. The actors threaten to leak the victims’ data to The Onion Router (TOR) network unless their ransom demand is paid in virtual currency within days of infection. Avaddon’s extortion tactics progress from a warning, to a partial data leak, and finally to a full data leak of all exfiltrated files. The extortion/data leak process typically follows these steps:
- Leak Warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon TOR leak website (avaddongun7rngel.onion). The warning consists of screenshots from files (e.g., sensitive documents) and proof of access to the victim’s network (e.g., screenshots of network folders).
- 5 Percent Leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the files (as opposed to screenshots). The Avaddon actors leak this data by uploading a small .ZIP file to Avaddon’s TOR leak website.
- Full Leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .ZIP files in the “Full dumps” section of the Avaddon TOR leak website.
In January 2021, Avaddon actors stated they would attack victims who do not pay the ransom with distributed denial-of service (DDoS) attacks. As of April 2021, the FBI has not identified DDoS attacks following Avaddon ransomware events.
Ransom Note Details and TOR Websites
Avaddon ransom notes typically contain a unique victim ID and a link to the TOR website at avaddonbotrxmuyl.onion, which victims must access by downloading and using a TOR browser. This website is used to provide technical support, negotiate with victims via an online chat functionality, post data leaks, and receive ransomware payments from victims. When victims enter their IDs on the site, they receive instructions on how to pay the ransom and decrypt their data.
File Names and Tools used by Attackers
The following applications are leveraged by Avaddon actors to compromise victims. While these applications support legitimate purposes, they can also be used by threat actors to aid in system compromise or exploration of an enterprise:
- WMIC.exe (WMI -Windows Management Instrumentation)
- Svchost.exe (Service host system process)
- Taskhost.exe (Host protocol)
Avaddon was written in C++ and encrypts data using a unique AES256 encryption key. During the infection process, Avaddon checks the operating system language and keyboard layouts. If a potential victim’s operating system language is set to specific languages normally used in the CIS, the malware ceases operation without harming the system. Analysis of Avaddon ransomware reveals common capabilities of ransomware, such as encryption (e.g. CryptEncrypt), persistence through registry keys (e.g., RegCreateKeyW, StartServiceW), anti-analysis (e.g., IsDebuggerPresent), and activity control (e.g., DeleteService or TerminateProcess or “EventDisable UAC”).
File Extension on Encrypted Files
Initially, the Avaddon ransomware used the extension .avdn when encrypting files. In fall 2020, the ransomware started using an extension composed of a combination of nine or ten characters of the letters A through E. (e.g., .BEaBeBecdA, .BAAcbdCDbb, .DDAbAAcae).
- Back-up critical data offline
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides
- Use two-factor authentication with strong passwords, including for remote access services
- Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable
- Regularly change passwords to critical systems
- Keep computers, devices, and applications patched and up-to-date
- Install and regularly update anti-virus or anti-malware software on all hosts.