Over the last few months, the Cybereason Nocturnus Team has been tracking the activity of the Avaddon Ransomware. It has been active since June 2020 and is operating with the Ransomware-as-a-Service (RaaS) and double extortion models, targeting sectors such as healthcare. Avaddon is distributed via malspam campaigns, where the victim is being lured to download the malware loader.
• Classic Luring Technique: To lure the victim, the Avaddon loader is sent as a double extension attachment in phishing emails, tricking the victim into thinking an image of them was leaked online and sent to them.
• Active Threat Group: Since its discovery in June 2020, Avaddon is still an active threat, marking almost a year of activity.
• Hybrid Encryption: Avaddon uses a popular hybrid encryption technique by combining AES and RSA keys, typical to other modern ransomware.
• Double Extortion: Joining the popular double extortion trend, Avaddon has their own “leaks website” where they will publish exfiltrated data of their victims if the ransom demand is not satisfied.
• Use of Windows Tools: Various legitimate Windows tools are used to delete system backups and shadow copies prior to encryption of the targeted machine.
• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Avaddon ransomware.
Avaddon phishing email
The ransomware is written in C++ and can be recognized by the “.avdn” extension that appends to the encrypted files in certain versions. Avaddon uses a hybrid encryption method, similar to other modern Ransomware, using AES256 and RSA2048 encryption keys.
Avaddon follows the popular double extortion technique by threatening to expose their victims’ data on a dedicated “leaks website” where they also post fragments of the stolen data as…