Threat Hunting for Avaddon Ransomware
Avaddon is a cryptolocker ransomware written in C++ that is best known for encrypting files and changing the file extension to .avdn. The ransomware also deletes the volume shadow copies and other system backups and typically demands a ransom ranging between $150 and $900. Since the ransomware uses strong encryption algorithms like AES256 and RSA2048, no decryptor is available and it is impossible to decrypt the file without the key that was used to encrypt it. This ransomware is sold similar to other Ransomware-as-a-service(RaaS) like REvil. Thus, even someone with limited technical background can become an “affiliate” to spread the malware. In return, the profit gets shared between the threat actor and the affiliate. In this blog post we dissect this malware and discuss methods to perform threat hunting for the Avaddon ransomware family.
Figure 1: Phishing Email (Source: Bleeping Computer)
Figure 2: Avaddon JScript Downloader (Source: Bleeping Computer)
Figure 3: Avaddon Ransomware download using PowerShell and BITS
The ransomware does not perform much command and control (C2) communication. However, as soon as the binary is executed, it connects to https://api.myip.com to get the external IP address of the victim machine(Indicator #2).
Figure 4: Network Traffic from Avaddon
Security analysts can hunt for Avaddon download attempts by correlating and detecting the pattern of phishing email activity along with binary download using PowerShell and BITS admin that we describe above.
In fact, the Awake Security Platform identifies this sequence of actions and surfaces the malicious behavior on the network (similar to MITRE ATT&CK ID: T1566, T1197). The platform then creates a graphical visualization of the attack Situation as shown in Figure 5 below, demonstrating that a Windows device is accessing gmail.com and an IP address, which in this case is the Avaddon C2 server.
Figure 5: Awake Situation for Avaddon Download
It is recommended to backup all important data to external drives or in the cloud for better security. It is advised not to screen all email and refrain from opening any attachment from unknown sources. Finally, identify the sequence and patterns of communication we describe here to uncover the presence of Avaddon on your network.
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…