11 May 2021

FBI and ACSC warn of ongoing Avaddon ransomware campaign


FBI and ACSC warn of ongoing Avaddon ransomware campaign

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued the alerts warning of an ongoing Avaddon ransomware campaign targeting organizations in a variety of sectors across the world.

According to the ACSC’s advisory, Avaddon threat actors are targeting entities in multiple countries, including Australia, the US, the UK, France, Germany, Canada, Spain, China, Czech Republic, Costa Rica, India, Italy, Portugal, Poland and others. The targeted sectors include government, finance, law enforcement, energy, information technology, health, freight and transport, manufacturing, retail, energy and airlines.

Avaddon is advertised as a RaaS (Ransomware-as-a-Service) on underground forums. The malware is primarily delivered via phishing and malicious emails containing malicious JavaScript files, the ACSC said.

Other characteristics of the campaigns involving Avaddon include using ‘double extortion’ techniques as coercion and further pressure to pay a ransom including threatening to leak the victim’s data if a ransom is not paid, as well as threatening DDoS attacks against victims.

According to the FBI, the extortion/data leak process typically follows these steps:

Leak Warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon TOR leak website (avaddongun7rngel.onion). The warning consists of screenshots from files (e.g., sensitive documents) and proof of access to the victim’s network (e.g., screenshots of network folders).

5 Percent Leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the files (as opposed to screenshots). The Avaddon actors leak this data by uploading a small .ZIP file to Avaddon’s TOR leak website.

Full Leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .ZIP files in the “Full dumps” section of the Avaddon TOR leak website.

Avaddon threat actors demand ransom payment via Bitcoin, with an average demand of around 0.73 bitcoin.

To reduce the risk of compromise the ACSC advises organizations to keep operating systems and applications up to date, scan emails and attachments for malware, and maintain offline, encrypted backups of data.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024