New Avaddon Ransomware launches in massive smiley spam campaign

June 9, 2020


With a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide.

Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible.

As its first known attack, the Avaddon Ransomware is being distributed in a spam campaign reminiscent of February's Nemty Ransomware Love Letter campaign.

You like my photo?

In a wave of emails using subjects like "Your new photo?" or "Do you like my photo?" containing nothing but a winking smiley face, a JavaScript downloader for the Avaddon ransomware is being distributed.

Example Avaddon spam email
Example Avaddon spam email

In a related report shared with BleepingComputer, the cybersecurity firm Appriver stated that the Phorphiex/Trik Botnet is distributing the malicious emails.

This campaign is not small, as AppRiver security researcher David Picket told us that they had blocked over 300,000 emails in just a short period.

Attached to these emails is a JavaScript file masquerading as a JPG photo with names like IMG123101.jpg.

Before you ask why someone would open a JavaScript file that was emailed to them, it is important to remember that Windows hides file extension by default, even though it is a known security risk.

That means to the recipient, it would just appear as a .jpg file, as shown  below.

JavaScript file displayed as a JPG
JavaScript file displayed as a JPG

When executed, the JS attachment will launch both a PowerShell and Bitsadmin command to download the Avaddon ransomware executable to the %Temp% folder and run it.

Avaddon JScript downloader
Avaddon JScript downloader

In the sample tested by BleepingComputer, once executed, the ransomware will search for data to encrypt and append the .avdn extension to encrypted files.

Files encrypted by Avaddon
Files encrypted by Avaddon

In each folder, a ransom note named [id]-readme.html will also be created. This ransom note contains a link to the TOR payment site and a unique victim ID used to login to the site.

Avaddon Ransom Note (Click to enlarge)
Avaddon Ransom Note (Click to enlarge)

This TOR payment site includes the ransom amount, which in our cause was $900, and instructions on how to pay for a decryptor.

Avaddon TOR payment site
Avaddon TOR payment site

Other sections of the TOR site include a support chat, free test decryption, and a help page illustrated by Harry Potter characters.

Avaddon TOR help page
Avaddon TOR help page

Unfortunately, ID-Ransomware creator Michael Gillespie has analyzed the ransomware and stated that it is secure and cannot be decrypted for free.

More to come

In advertisements posted to Russian-speaking hacker forums at the beginning of the month, Avaddon has stated that they are a new Ransomware-as-an-Affiliate (RaaS) program.


A RaaS program is when the ransomware creator is responsible for the development of the malware and the operation of the TOR payment site.

Affiliates who join the program are responsible for distributing the ransomware via spam, compromising networks, and exploit kits.

As part of this arrangement, Avaddon is paying affiliates 65% of any ransom payments they bring in, and the Avaddon operators will receive 35%. Larger affiliates are commonly able to negotiate a higher revenue share depending on the size of their attacks.

As is typical with RaaS programs, Avaddon has a series of rules that affiliates must follow when distributing the ransomware. The most common rule is that they cannot target victims in the Commonwealth of Independent States (CIS).

It is forbidden to work in the CIS countries (AZ, AM, BY, KZ, KG, MD, RU, TJ, UZ, UA, GE , TM)
It is forbidden to indicate or pass on to third parties the address of the admin panel on the .onion network.
It is forbidden to upload .exe to unverified scanners that merge AV labs.

Now that the Avaddon creators have started accepting applications, we should expect to see distribution increase and more advanced attacks to occur.



Attachment: 94faa76502bb4342ed7cc3207b3158027807a01575436e2b683d4816842ed65d
Avaddon: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2

Associated files:

Ransom note text:

Your network has been infected by Avaddon
All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software - Avaddon General Decryptor. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page
Download Tor browser -
Install Tor browser
Open link in Tor browser - avaddonbotrxmuyl.onion Follow the instructions on this page Your ID:

Read the original article and additional information at Cyware Social