The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued the alerts warning of an ongoing Avaddon ransomware campaign targeting organizations in a variety of sectors across the world.
According to the ACSC’s advisory, Avaddon threat actors are targeting entities in multiple countries, including Australia, the US, the UK, France, Germany, Canada, Spain, China, Czech Republic, Costa Rica, India, Italy, Portugal, Poland and others. The targeted sectors include government, finance, law enforcement, energy, information technology, health, freight and transport, manufacturing, retail, energy and airlines.
Avaddon is advertised as a RaaS (Ransomware-as-a-Service) on underground forums. The malware is primarily delivered via phishing and malicious emails containing malicious JavaScript files, the ACSC said.
Other characteristics of the campaigns involving Avaddon include using ‘double extortion’ techniques as coercion and further pressure to pay a ransom including threatening to leak the victim’s data if a ransom is not paid, as well as threatening DDoS attacks against victims.
According to the FBI, the extortion/data leak process typically follows these steps:
Leak Warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon TOR leak website (avaddongun7rngel.onion). The warning consists of screenshots from files (e.g., sensitive documents) and proof of access to the victim’s network (e.g., screenshots of network folders).
5 Percent Leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the files (as opposed to screenshots). The Avaddon actors leak this data by uploading a small .ZIP file to Avaddon’s TOR leak website.
Full Leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .ZIP files in the “Full dumps” section of the Avaddon TOR leak website.
Avaddon threat actors demand ransom payment via Bitcoin, with an average demand of around 0.73 bitcoin.
To reduce the risk of compromise the ACSC advises organizations to keep operating systems and applications up to date, scan emails and attachments for malware, and maintain offline, encrypted backups of data.
