Avaddon ransomware

Avaddon ransomware existed for a relatively short period of time, but became widely known for the targets it chose for its attacks. A wide range of corporations from all over the world were forced to pay the ransom to get their files back and avoid publishing the corporate data. But it was shut down in less than half a year. Why?

You may be interested in taking a look at our other antivirus tools: Trojan Killer and Trojan Scanner.

About Avaddon Ransomware - What is it? Keep Your Privacy Well

Avaddon ransomware: describing the virus

GRIDINSOFT TEAM
Appeared in February 2020, Avaddon showed up a short but pretty active life: its developers decided to shut down their activity in May 2021. Nonetheless, it left a lot of things to remember after these 16 months. Avaddon ransomware had a lot in common with various other ransomware families but was still an outstanding example of how cybercriminals act in the modern world.

At the moment of its launch, Avaddon chose a new (for that time) model of action - so-called ransomware-as-a-service (RaaS). This model is aimed primarily at corporations since it supposes a pretty big ransom amount, as well as data stealing. However, key features of the RaaS model are other - ransomware is spread not directly by its developers, but by the affiliated persons, who have a certain commission for each successful injection.

Such a form not only increases the efficiency of ransomware injection but also makes the cyber police work harder. When there are a lot of distributors who have no relation to the originator of the virus, it is pretty hard to reach the top of this scheme. Even if the FBI or any other executive authority catches a lot of ransomware distributors, the developers of that malware have a lot of time to remove all proofs of their activity. However, Avaddon used the RaaS model, not from the start - it applied such a distribution scheme only in June 2020.

Notereadme.html, readme.txt
File pattern.avdn or random 10-characters like AbC23deF14
Encryption algorithmAES-256
FeaturesOne of the first “old” ransomware families who applied RaaS model. Attacked several world-known companies.
Ransom amount$500, $1000 in Bitcoins
Contactavaddonbotrxmuyl.onion
Damage
  1. Disables MS Defender and Volume Shadow Copies, steals the corporate data. Deletes system backups and files from the bin. Disabling automatic system restoration.
DistributionEmail spam, RDP vulnerabilities exploiting
FactsDoes not encrypt files on the systems with a Russian default locale.

Decryption service:

avaddonbotrxmuyl.onion
On the avaddonbotrxmuyl.onion page, the victim is asked to enter the User ID from the ransom note.

Injection

The actual way of injection and infecting the corporation has some details in common with other families. Like several other ransomware variants, that aim at large corporations, it is spread through malicious email spam and phishing. It is contrasting with Dharma ransomware - another example of the corporation-oriented virus, that is spread “manually” - through the vulnerability of RDP ports.

Avaddon ransomware also carries several other viruses - spyware and hacktool - to get some valuable information from the hacked corporation network. Then, cybercriminals begin to extort money not only for files decryption but also for keeping the corporate data unpublished. The total ransom amount reaches an average of $40,000. As practice shows, companies usually pay the offered sum to keep their secrets.

The encryption algorithm used by Avaddon ransomware is AES-256. This cipher is pretty strong to avoid hacking it in a regular way, but ransomware also manages to keep the decryption key on the remote server

Encryption

The encryption process has six steps:

  • Imports hardcoded master public RSA-2048 and master AES-CBC-256 keys.
  • Generates a session AES-CBC-256 key.
  • Adds IV to the master AES-CBC-256 key.
  • Uses the master AES-CBC-256 key to encrypt the data about the user with Base64 encoding and adds to the ransom note.
  • Encrypts the user’s files with the generated session AES-CBC-256 key.
  • Adds the session AES-CBC-256 key encrypted with RSA-2048 key to the end of every encrypted file.
  • The public master RSA-2048 and AES-CBC-256 keys are hardcoded.

Avaddon ignores some important Windows folders during the encryption process:

    C:\Perflogs
    System volume information
    C:\Users\Public
    C:\Users\{User}\AppData\Local\Temp
    C:\Program Files (x86)
    C:\Users\{User}\AppData
    C:\ProgramData
    C:\Windows

However, the ransomware is determined to encrypt Exchange and SQL servers, so it doesn’t skip the next paths:

    C:\Program Files\Microsoft\Exchange Server
    C:\Program Files (x86)\Microsoft\Exchange Server
    C:\Program Files\Microsoft SQL Server
    C:\Program Files (x86)\Microsoft SQL Server

Avaddon also skips files with the following extensions:

    exe, bin, sys, ini, dll, dat, drv, rdp, prf, swp, lnk.

Interesting facts about Avaddon

An interesting element that says a lot about the origins of that ransomware is the fact that Avaddon ransomware will not work in the system which has one of the languages from the Commonwealth of Independent Countries. This formation consists of ex-USSR countries, so it is quite easy to suppose that Avaddon is created somewhere in these countries. As soon as ransomware detects that the PC has a Ukrainian keyboard layout, for example, it stops the actions and removes itself completely from the victim’s PC, leaving no footprints of its activity.

One of the most wide-known cases of Avaddon attacks is a cyberattack on French insurance company AXA. Asian Assistance division of the company and its IT Operations department in Thailand, Hong Kong, the Philippines, and Malaysia was under attack. As fraudsters report in their money ransom note, they have stolen over 3TB of confidential data, related to the customers’ medical information - illnesses, pathologies, and various other sensitive things.

As the FBI states in their report, some of the victims who decided to pay the ransom have never got the decryption keys. Such a fraud (non-sending the decryption keys even after the payment) is not something new among ransomware - STOP/Djvu has a lot of the same cases - but the ransom amounts of Avaddon are much bigger.

Shutdown in May 2021

After almost 1,5 years of successful activity, being considered as one of the most prolific ransomware groups, Avaddon developers decided to… shutdown their activity. The true motives of their decision remain uncovered, but the background at the timeline gives several tips. Just a week before, another group of pretty successful crooks - DarkSide ransomware - claimed that they have lost access to their servers and were forced to shutdown their activity.

This happened just after the extremely loud cyberattack on the Colonial Pipeline, that led to the massive shutdown of gas stations in various states of the U.S. East Coast. In some moments, almost 20% of gas stations were shut down because of fuel shortages. However, there are no facts that the Avaddon shutdown is somehow related to DarkSide’s one - only guesswork.

At the moment of shutting down, Avaddon developers released the decryption keys for almost 3000 victims who did not purchase the keys earlier. This number wonders because only 88 companies have reported the Avaddon attack, and most of them were solved to the moment of the shutdown. Now, imagine, how many companies decided to conceal the fact of a ransomware attack and did not report it to law enforcements?

More about Avaddon ransomware:

🔗 Three major hack forums banned advertising of ransomware
🔗 Spanish student created free decryptor for Avaddon
🔗 Avaddon ransomware group closes shop, share all 2,934 decryption keys.