Threat Thursday: Avaddon Ransomware Uses DDoS Attacks as Triple Threat

UPDATE 6/17/2021: After recent attention due to several high-profile ransomware incidents, the ransomware group behind Avaddon seems to be shuttering their current operations. Law enforcement efforts to track down malware operators have visibly increased after the recent attack on Colonial Pipeline, operators of a major fuel pipeline system based in the Eastern U.S., which prompted DarkSide to shut down their own operations.

Avaddon has released the decryptors to the latest version their threat. While this may mean the end of this version of their creation, there are still many other ransomware groups still in full operation. Previous advice regarding prevention and mitigation of ransomware still applies, and can help protect you against threats by these and other groups.

Summary

The Avaddon ransomware variant first appeared in early 2020 and made international headlines due to recent attacks against Australian organizations and Asia-based cyber insurance company AXA. Both the Federal Bureau of Investigations (FBI) and the Australian Cyber Security Center (ACSC) have released warnings regarding an ongoing attack by this malware family.

Avaddon is distributed as a Ransomware as a Service (RaaS) for use in targeted attacks. The infection vector of Avaddon is phishing emails.

Like DarkSide and REvil ransomware, Avaddon also uses a double extortion scheme where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at avaddongun7rngel[dot]onion.

Avaddon, however, goes one step further. To further ‘encourage’ victims to pay the ransom, attackers also subject them to a third threat - a Distributed Denial of Service (DDoS) attack – until the ransom is paid.

Visiting the dark web site, the current victims can be seen under “new companies” that Avaddon has infected. For example, they claim to have 3 TB of data from AXA, which is notably large compared to other victims. They also allege that some of the data making up this 3TB contains customer medical reports, customer claims, payments to customers, customer ID's, customer scanned bank account papers, hospitals and doctors reserved material, and more. The Avaddon gang have also attached a proof of stolen data screenshot for each affected victim.

Operating System

Risk & Impact

Technical Analysis

Avaddon ransomware masquerades as Microsoft® host process for Windows tasks called “taskhost.exe”.

This is a common method for malware writers to trick unwitting users into believing that the file is a trusted and legitimate Microsoft file:

Figure 1: Fake 'taskhost.exe' file information.

Avaddon samples are not packed, but some of the strings are obfuscated to hinder static detection and analysis:

Figure 2: Obfuscated strings.

To de-obfuscate the strings, several steps must occur: a base64 decode must first be performed, followed by a XOR operation using a key in hexadecimal, then addition with a key in hex, and then a final XOR operation with a key in hex. The hex values required vary from sample to sample. It has also been observed that some Avaddon samples perform subtraction instead of addition:

Figure 3: String decryption.

For example, upon de-obfuscation of those strings, a string “KD4yPHkMERoFEAgcEAkCeQUGHQb1BnlwPzAyPxUmKzo8FTIXJg==” decodes to “wmic SHADOWCOPY DELETE /nointeractive”.

The full list of de-obfuscated strings can be found in Appendix A.

Figure 5: De-obfuscated string.

Upon execution, Avaddon creates a copy of itself in the “C:\Users\%user name%\AppData\Roaming\Microsoft\Windows” folder. The copied file is then used to create a scheduled task called “update” to maintain persistence:

Figure 6: Scheduled task called 'update'.

This threat also modifies the registry keys to bypass User Account Control (UAC). It also escalates privileges to obtain access to mapped network drives by setting the registry values of EnableLUA and ConsentPromtBehaviorAdmin to 0 and EnableLinkedConnections to 1:

Figure 7: Modified registry keys.

Avaddon then deletes shadow copies using the following commands:

wmic.exe:

• wmic SHADOWCOPY DELETE /nointeractive

vssadmin.exe:

• vssadmin Delete Shadows /All /Quiet

The malware also deletes system backups using the following commands, to ensure the victim can’t easily restore the encrypted files:

wbadmin.exe:

• wbadmin DELETE SYSTEMSTATEBACKUP
• wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
• wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0

bcdedit.exe:

• bcdedit /set {default} recoveryenabled No
• bcdedit.exe -> bcdedit /set {default} bootstatuspolicy ignoreallfailures

Avaddon will begin enumerating the infected system, ignoring certain locations to avoid encrypting files there. Those locations are the following:

• C:\$Recycle.Bin
• C:\Program Files
• C:\Program Files (x86)
• C:\ProgramData
• C:\Users\All Users
• C:\Users\%username%\AppData
• Folders containing the name "Tor Browser”

Avaddon will look in the “Program Files” and “Program Files (x86)” folders for the presence of Microsoft Exchange Server, Microsoft SQL Server, and MySQL. If those directories can be found, Avaddon will start encrypting the affected file types and append them with a “.beDBDdeCd” file extension.

The appended file extension varies from sample to sample, but it typically follows a pattern of 9-10 lower/upper case letters [a-eA-E]{9,10}. In earlier versions of Avaddon, the appended file extension was ‘.avdn’:

Figure 8: Encrypted files.

This threat drops a ransom note titled ‘jpNx9_readme_.txt’ in each affected directory. The random lower-and-upper-case letters and numbers used for naming the readme text file also vary from sample to sample.

The ransom note informs the infected user that all documents, photos, databases, and other file of importance have been encrypted:

Figure 9: Avaddon ransom note.

To access the Avaddon’s dark web page, the victim is required to download a Tor browser and navigate to the attacker’s dark web site to input the key. This key can be found in the ransom note:

Figure 10: Avaddon URL for key input.

The ransom note alerts the victim that many files have been downloaded by the threat actor. They then have three days to get in contact with the Avaddon group, otherwise the sensitive data will be published on the attacker’s dark web site at avaddongun7rngel[dot]onion.

Figure 11: Avaddon victims (company names obscured for privacy).

To ensure that the ransom is paid in a timely fashion, Avaddon DDoSes the victim’s website, rendering it unusable and inaccessible. The page also contains a list of all new companies that have become Avaddon’s latest victims. Attackers also publish some screenshots of the material that has been stolen from each victim. For example, the screenshots may include copies of passports, ID cards, and other private documents. 

The “Full dump” section of the website contains a list of data dumps from victims who have refused to cooperate with the Avaddon gang. Those “dump” files can be downloaded by anyone who accesses the site. These files are compressed, and no password was required to extract the contents:

Figure 12: unzipped data dump contents.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

Indicators of Compromise (IoCs)

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.

By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.

Appendix A

BlackBerry Assistance

If you’re battling Avaddon ransomware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here:  https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment