Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime

Avaddon Ransomware Joins Data-Leaking Club

Operators Create a Dedicated Leak Site, Continue Recruiting Affiliates
Avaddon Ransomware Joins Data-Leaking Club
Avaddon ransom note (Source: TMMalAnalyst)

Yet another ransomware-wielding gang has threatened to steal and leak the data of any victims who refuse to pay a ransom.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Security experts say the gang behind Avaddon ransomware created a dedicated leaking site this past weekend (see: Ransomware Gangs Go ((Lady)) Gaga for Data Breaches).

Israeli cybersecurity intelligence firm Kela told Bleeping Computer that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim - a construction firm - from which 3.5 MB of allegedly stolen documents have been leaked.

"The attackers published a sample of the obtained data, including information related to the company's activity in the U.K., Mexico, Philippines, Malaysia and Thailand," Kela tells Information Security Media Group.

Avaddon ransomware operators announce that they've created a dedicated leak site (reachable via anonymizing Tor browser) for publishing leaks, and they continue to seek new affiliates. (Source: Kela)

Kela says the operators of Avaddon have also been continuing to recruit new affiliates, which refers to attackers who receive a personalized version of the ransomware tied to a unique affiliate ID, then share profits with the operators whenever a victim pays a ransom. Based on the gang's posts, it appears to be recruiting affiliates who know how to obtain and use stolen or brute-forced remote desktop protocol or other remote-access credentials for gaining access to targeted networks (see: Top Ransomware Attack Vectors: RDP, Drive-By, Phishing).

The Avaddon author doesn’t provide a means of distributing the ransomware, however according to their forum posts, they recommend purchasing your foothold from other sources such as 'dediks' - attackers that have already compromised several computers and sell access to them," says Tarik Saleh, a senior security engineer and malware researcher at DomainTools. "Keep in mind that the Avaddon ransomware is RaaS - ransomware as a service - and therefore the binaries we see in the wild are not necessarily attacks from that specific group but rather from customers [affiliates] of theirs," he says in a blog post.

Avaddon First Spotted in June

Avaddon appears to have been first spotted in early June, and was quickly analyzed by multiple researchers.

Malware researcher Andrew Ivanov (Amigo-A) said in a blog post that the "ransomware encrypts user data with AES-256 + RSA-2048 and then demands a ransom of $150 to $350 or more in BTC [bitcoins] to get the files back."

Separately, the malware analyst who uses the handle TMMalAnalyst detailed how a Trojan was being used to trick victims into executing JavaScript that would download the ransomware from third-party sites and execute it.

In July, Microsoft's security intelligence group warned that whoever was behind Avaddon was also using Microsoft Excel spreadsheets with malicious macros to spread the ransomware, potentially via targeted attacks. "Emails carrying the malicious Excel attachments were sent to specific targets, primarily in Italy," Microsoft warned. "When run, the malicious macro downloads the Avaddon ransomware."

"While an old technique, malicious Excel 4.0 macros started gaining popularity in malware campaigns in recent months," Microsoft reported on July 2. "The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures."

Another Avaddon campaign described by the security firm Trend Micro involved photo-themed emails with an attached zip file that contained a malicious JavaScript file.

Sample email used to spread Avaddon (Source: Trend Micro)

If a user executes that file, "it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload," Trend Micro researchers said in a blog post published last month. "After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension."

DomainTools' Saleh says that seeing "redundancy in loaders" is common, because it increases attackers' chance of successfully infecting a system. "Your victim machine might not successfully execute the PowerShell command, but the BITSadmin fork process might," he says.

In addition, he notes that the use of PowerShell suggests that the ransomware operators are "likely targeting outdated Windows systems running Internet Explorer that might not have ATP/Defender enabled," since Microsoft has been cracking down on finding and blocking malicious PowerShell scripts, he says. (Windows Defender, now part of Windows Security, is Microsoft's free anti-virus product built into Windows, while Microsoft Defender Advanced Threat Protection is a paid-for tool that offers additional endpoint protection capabilities.)

View of a desktop of a system infected by Avaddon (Source: TMMalAnalyst)

Like many types of malware, Avaddon is programmed to terminate itself if it finds that the Windows Locale ID is set to 419 (Russia) or 422 (Ukraine), or if the keyboard layout is set to 419 (Russia), 422 (Ukraine), 444 (Tatar) or 485 (Yukut, Russia), Trend Micro says.

Avaddon's aversion to infecting Russians may reflect this cybercrime reality: Russian authorities typically turn a blind eye to online crime committed by citizens, provided they target foreigners, in part because the country's legal statutes have historically made such activity difficult to prosecute. But for Russians who steal from Russians, authorities have not hesitated to crack down (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).

Under Pressure

Avaddon's addition of a dedicated data-leaking site comes after numerous other gangs adopted the tactic.

The purpose of leak sites is typically threefold, following a well-known path of escalation that's designed to increase the psychological pressure on victims to pay:

  1. Name and shame victims: A leak site will list recent victims, promising to remove victims' names if they agree to pay a ransom.
  2. Leak data: The gang will begin leaking samples of stolen data if the ransom is not paid.
  3. Dump or auction data: At a certain point, the gang will give up. Some, including REvil, then auction stolen data to the highest bidder. Others will just dump it all online. Either step is meant to scare future victims into paying.

Last November, the Maze ransomware gang kicked off the trend of leaking stolen data in an attempt to force victims to cough up bitcoins. At the time, security experts told ISMG that it wasn't clear if such tactics would lead to bigger payoffs or if they might instead prompt a backlash by victims, leading to even fewer ransom payments.

Many months later, however, data-leaking sites have become a fact of life, with more than a dozen gangs now running dedicated sites or even hosting leaks for rival gangs (see: Maze Reportedly Posts Exfiltrated Canon USA Data).

Gangs' rapid adoption of data-leaking sites was likely driven by fewer victims paying, or paying as much as attackers were demanding, says Raj Samani, chief scientist at security firm McAfee and a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol. Regardless of this particular tactic, he says it demonstrates how criminals operating online, including ransomware-wielding gangs, constantly innovate to try and maximize profits (see: Top Cybersecurity Challenge: 'More Capable Threat Actors').

Any Attack Can Exfiltrate Data

Security firm Emsisoft says that in the first six months of this year, more than 11% of ransomware infections potentially involved data exfiltration. That statistic comes from the free ID Ransomware service run by the company's Michael Gillespie. The service helps ransomware victims identify the strain of ransomware used against them and identify potential decryption options. "Of the roughly 100,000 submissions received in the first half of this year," more than 11,000 "related to attacks by the groups that overtly steal data," Emsisoft says in a blog post (see: Ransomware + Exfiltration + Leaks = Data Breach).

But it's important to remember that any attacker who gains remote access to an organization's network may have stolen data, whether or not it ends up on a leak site (see: 8 Tips for Crafting Ransomware Defenses and Responses).

"All ransomware groups have the ability to exfiltrate data," Emsisoft says. "While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it."

Prevalent: WannaCry, Locky and Cerber

Avaddon remains just one of numerous strains of ransomware being seen in the wild.

WannaCry, Locky and Cerber were the three most-seen types of ransomware in 2019, as well as for the first five months of this year, according to scans conducted by Trend Micro. (Caveat: All security firms have a different view of the prevalence of any given malware, since such information is gleaned from attempted attacks against their customers' PCs and servers, which will have different concentrations in different geographies.)

While WannaCry's continuing prevalence since it debuted in May 2017 might seem surprising, Trend Micro says it continues to be far and away the most-seen strain of crypto-locking malware (see: Group Behind WannaCry Now Using New Malware).

Ransomware families with the most detections, May 2020 (Source: Trend Micro)

"WannaCry’s retention of the highest number of detections can be attributed to its worm component and its operators’ persistence in trying to propagate the malware regularly," Trend Micro says. "We foresee that WannaCry will continue having such a high number of detections until either a new, massive ransomware comes into being, or the sources for WannaCry are found and removed."


This report has been updated with additional details about the timeframe in which Avaddon was discovered, as well as with insights from DomainTools.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.