11 May 2021

FBI and ACSC warn of ongoing Avaddon ransomware campaign


FBI and ACSC warn of ongoing Avaddon ransomware campaign

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued the alerts warning of an ongoing Avaddon ransomware campaign targeting organizations in a variety of sectors across the world.

According to the ACSC’s advisory, Avaddon threat actors are targeting entities in multiple countries, including Australia, the US, the UK, France, Germany, Canada, Spain, China, Czech Republic, Costa Rica, India, Italy, Portugal, Poland and others. The targeted sectors include government, finance, law enforcement, energy, information technology, health, freight and transport, manufacturing, retail, energy and airlines.

Avaddon is advertised as a RaaS (Ransomware-as-a-Service) on underground forums. The malware is primarily delivered via phishing and malicious emails containing malicious JavaScript files, the ACSC said.

Other characteristics of the campaigns involving Avaddon include using ‘double extortion’ techniques as coercion and further pressure to pay a ransom including threatening to leak the victim’s data if a ransom is not paid, as well as threatening DDoS attacks against victims.

According to the FBI, the extortion/data leak process typically follows these steps:

Leak Warning: After initially gaining access to a victim network, Avaddon actors leave a ransom note on the victim’s network and post a “leak warning” to the Avaddon TOR leak website (avaddongun7rngel.onion). The warning consists of screenshots from files (e.g., sensitive documents) and proof of access to the victim’s network (e.g., screenshots of network folders).

5 Percent Leak: If the victim does not quickly pay the ransom within 3 to 5 days, Avaddon actors increase the pressure on victims by leaking a portion of the files (as opposed to screenshots). The Avaddon actors leak this data by uploading a small .ZIP file to Avaddon’s TOR leak website.

Full Leak: If the ransom is not paid after the 5 percent leak, Avaddon actors post all their exfiltrated data in large .ZIP files in the “Full dumps” section of the Avaddon TOR leak website.

Avaddon threat actors demand ransom payment via Bitcoin, with an average demand of around 0.73 bitcoin.

To reduce the risk of compromise the ACSC advises organizations to keep operating systems and applications up to date, scan emails and attachments for malware, and maintain offline, encrypted backups of data.

Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021