First published: 08 May 2021
Last updated: 08 May 2021

Content written for

Small & medium business
Large organisations & infrastructure
Government

 

Background

Avaddon is a ransomware variant first detected in February 2019, used in cybercriminal campaigns targeting multiple sectors and organisations around the world, including Australia. Avaddon is offered as a Ransomware-as-a-Service (RaaS), enabling affiliates to utilise it as desired, provided they return a percentage of profits to Avaddon developers as commission. The ACSC is aware of several instances where the Avaddon ransomware has directly impacted organisations within Australia.

Dark Web and Threat Activity

Avaddon has an active presence on underground dark web cybercrime forums, notably advertising the Avaddon RaaS variant to potential affiliates via a number of high tier cybercrime forums. Avaddon threat actors also utilise the data leak site (DLS) avaddongun7rngel[.]onion to identify victims who fail or refuse to pay ransom demands.

Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered (‘Avaddon General Decryptor’) if payment is made.

Targeted Countries and Sectors

The ACSC is aware of active targeting of the following countries and sectors:

Targeted Countries  Targeted Sectors 
 Australia  Belgium  Academia  Airlines
 Brazil  Canada  Construction  Energy
 China  Costa Rica  Equipment  Financial
 Czech Republic  France  Freight and Transport  Government
 Germany  India  Health  Hospitality
 Indonesia  Italy  Information Technology  Law Enforcement
 Jordan  Peru  Manufacturing  Marketing
 Poland  Portugal  Retail  Pharmaceutical
 Spain  United Arab Emirates  Virtual Environment
 United Kingdom  United States

Techniques, Tools, and Procedures

Identified Techniques, Tools and Procedures (TTPs) for Avaddon threat actors include:

  • Using phishing and malicious email spam (malspam) campaigns to deliver malicious JavaScript files. These are often low in sophistication, containing a threat suggesting the attached file contains a compromising photo of the victim.
  • Using ‘double extortion’ techniques as coercion and further pressure to pay a ransom including:
  • Threatening to publish the victim’s data (via the Avaddon Data Leak Site (DLS): avaddongun7rngel[.]onion
  • Threatening the use of DDoS attacks against the victim (identified since February 2021)
  • Applying the GetUserDefaultLCID() function to identify the default geolocation and system language of the user’s device, subsequently, determining whether the user will be targeted for attack, or not. This technique has also been observed in ransomware campaigns using the MedusaLocker variant.
  • TTPs for Avaddon are very similar to those identified in use within the Ako and MedusaLocker ransomware variants, including the use of an embedded public key to perform AES-256 encryption on all file data, as well as using a Windows Scheduled Task to establish persistence.

Malware Capabilities

The Avaddon ransomware has the following capabilities:

Allocates memory Anti-VM capabilities Anti-debug capabilities Bypass Windows
Calculates FNV hashes Capture FNV hashes Capture Network Share information Capture disk information
Capture hostname Capture keyboard layout Capture network configuration Capture network interfaces
Capture operating system information Capture payment card data Capture system network information Communicates using ICMP
Communicates using UDP Communicates using raw sockets Constructs mutex Copy files
Create Windows registry key Create Windows registry key value Create files Create thread
Creates processes Decodes Base64 Delete Volume Shadow Copy files Delete a service
Delete files Encodes using Base64 Encodes using XOR Executes using a scheduled task
Find files Gets common file path Gets environmental variable value Gets file attribute
HTTP request capabilities HTTP response capabilities List file sizes List files
Lists drives Lists processes Locks mutex Move files
Open Windows registry key Overwrite or wipe file data by emptying the Recycling bin quietly Persistence via Windows registry Run key Query service information
Read files Reads memory Receive data Resolved Windows program files directory
Send data Sets Wallpaper Sets environmental variable Sets file attribute
Start a service Stop a service Terminates processes Uses AES
Uses AES256 Uses RC4 Uses RSA Writes memory

MITRE ATT&CK

Technique ID Name Technique ID Name
T1027 Obfuscated Files or Information T147.001 Virtualisation/Sandbox Evasion / System Checks
T1202 Indirect Command Execution T1078 Valid Accounts
T1562.001 Impair Defences: Disable or Modify Tools T1070.004 Indicator Removal on Host/ File Deletion
T1486 Data Encrypted for Impact T12082 System Information Discovery
T1120 Peripheral Device Discovery T1490 Inhibit System Recovery
T1566 Phishing T1498.001 Network Denial of Service / Direct Network Flood

Mitigations

The ACSC has published several products which can assist organisations in reducing the risk and impact of ransomware. These products can be found on the ACSC website.

The ACSC also recommends the following be implemented:

  • Patch operating systems and applications, and keep antivirus signatures up to date.
  • Scan emails and attachments to detect and block malware, and implement training and processes to identify phishing and externally-sourced emails.
  • Maintain offline, encrypted backups of data and regularly test your backups. Regularly conduct backup procedures and keep backups offline or in separated networks.

Indicators of Compromise

SNORT Alert

Snort IDS: 2007837 ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet)

YARA Rules

TLP:WHITE] win_avaddon_w0 (20200902 | Detects Avaddon ransomware)
rule win_avaddon_w0 {
meta:
description = "Detects Avaddon ransomware"
author = "@VK_Intel, modified by @r0ny_123"
reference = "https://twitter.com/VK_Intel/status/1300944441390370819"
tlp = "white"
date = "2020-09-01"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
malpedia_rule_date = "20200902"
malpedia_hash = ""
malpedia_version = "20200902"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$str0 = "rcid"
$str1 = "hdd"
$str2 = "lang"
$cfg_parser = { 55 8b ec 6a ff 68 74 d8 46 00 64 ?? ?? ?? ?? ?? 50 81 ec 3c 02 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 57 50 8d ?? ?? 64 ?? ?? ?? ?? ?? 8b f1 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 83 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 85 c0 0f ?? ?? ?? ?? ?? b9 10 00 00 00 c7 ?? ?? ?? ?? ?? ?? 3b c1 c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 50 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 83 f8 10 0f ?? ?? ?? ?? ?? 83 c0 f0 b9 20 00 00 00 3b c1 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 83 c0 10 8d ?? ?? 50 e8 ?? ?? ?? ?? c6 ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? f3 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ??}
$crypt_imp_seq_0 = { 83 ?? ?? ?? 8b c7 c7 ?? ?? ?? ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 51 6a 00 6a 01 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 [3-6] 8b ?? ?? ff ?? ?? ?? ?? ?? 56 6a 00 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 [2-6] 83 ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 50 56 6a 01 6a 00 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? [0-3] 8d ?? ?? 50 6a 00 6a 00 ff ?? ?? 56 ff ?? ?? ff ?? ?? ?? ?? ?? }
condition:
uint16(0) == 0x5a4d and 1 of ($str*) and ($cfg_parser or $crypt_imp_seq_0)

SHA256 Hashes

Hash Type Hash
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA256 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
SHA256 146e554f0d56db9a88224cd6921744fdfe1f8ee4a9e3ac79711f9ab15f9d3c7f
SHA256 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
SHA256 28adb5fa487a7d726b8bad629736641aadbdacca5e4f417acc791d0e853924a7
SHA256 2946ef53c8fec94dcdf9d3a1afc077ee9a3869eacb0879cb082ee0ce3de6a2e7
SHA256 29b5a12cda22a30533e22620ae89c4a36c9235714f4bad2e3944c38acb3c5eee
SHA256 331177ca9c2bf0c6ac4acd5d2d40c77991bb5edb6e546913528b1665d8b501f3
SHA256 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
SHA256 5252cc9dd3a35f392cc50b298de47838298128f4a1924f9eb0756039ce1e4fa2
SHA256 61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it