Severity

High

Analysis Summary

A new Ransomware-as-a-Service (RaaS), Avaddon, and its recent campaign. It has appeared in the wild as part of a massive spam campaign leveraging the Phorphiex/Trik Botnet for sending emails. Attached to the emails, the bodies of which simply contains a winking smiley face, is a ZIP archive containing a JavaScript file masquerading as a JPG. The JavaScript code is responsible for using both PowerShell and Bitsadmin to download and run an executable file from a remote server. On execution, the ransomware encrypts target files and appends a .avdn extension. An HTML ransom note is dropped on the system directing victims to a TOR site where they can buy a decryptor. The site includes a support chat system, free decryption test, and a help page. Researchers also discovered advertisements in Russian-speaking hacker forums attempting to recruit affiliates into their RaaS program.

Impact

File encryption

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on the emails/sent by unknown senders.