Over the last few months, the Cybereason Nocturnus Team has been tracking the activity of the Avaddon Ransomware. It has been active since June 2020 and is operating with the Ransomware-as-a-Service (RaaS) and double extortion models, targeting sectors such as healthcare. Avaddon is distributed via malspam campaigns, where the victim is being lured to download the malware loader.

key findings

• Classic Luring Technique: To lure the victim, the Avaddon loader is sent as a double extension attachment in phishing emails, tricking the victim into thinking an image of them was leaked online and sent to them.

• Active Threat Group: Since its discovery in June 2020, Avaddon is still an active threat, marking almost a year of activity.

• Hybrid Encryption: Avaddon uses a popular hybrid encryption technique by combining AES and RSA keys, typical to other modern ransomware.

• Double Extortion: Joining the popular double extortion trend, Avaddon has their own “leaks website” where they will publish exfiltrated data of their victims if the ransom demand is not satisfied.

• Use of Windows Tools: Various legitimate Windows tools are used to delete system backups and shadow copies prior to encryption of the targeted machine.

• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Avaddon ransomware.

Background

The Avaddon Ransomware was discovered in June 2020, and remains a prominent threat ever since. Their first infection vector was spreading phishing emails that were luring victims with a supposedly image of them, sending it as an email attachment. This in fact was a double extension JavaScript downloader that downloads and executes the Avaddon Ransomware:

Avaddon phishing email

The ransomware is written in C++ and can be recognized by the “.avdn” extension that appends to the encrypted files in certain versions. Avaddon uses a hybrid encryption method, similar to other modern Ransomware, using AES256 and RSA2048 encryption keys.

Avaddon follows the popular double extortion technique by threatening to expose their victims’ data on a dedicated “leaks website” where they also post fragments of the stolen data as…