Saturday, November 28, 18:54
Home security The new Avaddon Ransomware appears in a massive spam campaign

The new Avaddon Ransomware appears in a massive spam campaign

The new Avaddon Ransomware comes to life in a huge spam campaign that targets users around the world.

Avaddon was released earlier this month and recruits active hackers and malware distributors to spread ransomware in every possible way.

As his first known attack, Avaddon Ransomware is being distributed on a spam campaign reminiscent of the February Nemty Ransomware Love Letter campaign.

Avaddon Ransomware

Do you like my photograph;

In an email wave that uses topics like "Do you like my photo?" or "Your new photo?", which contains nothing but emoji 😉 characters, a JavaScript download program for Avaddon ransomware is available.

Avaddon Ransomware

In a related report, the cyber security company Appriver said that Phorphiex / Trik Botnet distributes malicious email.

This campaign is not small, as AppRiver security researcher David Picket told us, that they had blocked more than 300.000 emails in a short time.

Attached to these emails is a JavaScript file that is "disguised" as a JPG photo with names such as IMG123101.jpg.

Now if you're wondering why someone should open a JavaScript file sent to them via email, it's important to remember that Windows hide it file extension by default, although security risk is known.

This means that what appears to the recipient will be just a .jpg file, as shown below.

Avaddon Ransomware

When executed, the attached JS will launch a PowerShell and Bitsadmin command to perform λήψη of Avaddon ransomware that can be run in the% Temp% folder and run it.

In the sample tested by BleepingComputer, once run, ransomware will search for encryption data and add the .avdn extension to encrypted files.

Avaddon Ransomware

In each folder, a notebook called [id] -readme.html will be created. This ransom note contains a link to the TOR website and a unique one victim identification used to link to the website.

Avaddon Ransomware

This TOR payment website includes the ransom amount and instructions on how to pay for a decryptor.

Other sections of the TOR website include one support chat, a free trial decryption and help page "adorned" by its characters Harry Potter.

Unfortunately, Michael Gillespie analyzed the ransomware and said it was safe and could not be decrypted for free.

In ads published on Russian-language hacking forums earlier this month, Avaddon said it was a new Ransomware-as-an-Affiliate (RaaS) program.

This means that the ransomware creator is responsible for the development of the malware and the operation of the payment website. TOR.

Participants in the program are responsible for the distribution of ransomware via spam, compromise networks and exploit kits.

Under this agreement, Avaddon pays partners 65% of the ransom they bring and Avaddon providers will receive 35%. Larger partners are usually able to negotiate a higher share of revenue depending on the size of their attacks.

As is typical with RaaS programs, Avaddon has a set of rules that partners must follow when distributing ransomware. The most common rule is that they cannot target victims in the Commonwealth of Independent States (CIS).

Now that the creators of Avaddon have started accepting applications, we should expect to see an increase in distribution and more advanced attacks.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


How to choose which extensions will appear in the Edge toolbar

Extensions to Microsoft Edge can make your browser more useful. But sometimes you may not like it ...

COVID-19 vaccines: North Korea hacks drugs

South Korea, to be precise, its intelligence service, has thwarted North Korea's efforts to invade South Korean companies ...

Drupal: Security updates to deal with exploits

The developers of the Drupal content management system (CMS) have released emergency security updates due to the availability of some exploits, which can put in ...

How to disable "Get even more out of Windows" in Windows 10

Does it bother you that "Get even more out of Windows" appears every time you update to Windows 10? May be...

The US military is investigating "telepathic" communication technology

The U.S. Army Research Bureau is funding a new study on how brain signals could ...

Canon acknowledged the ransomware attack in August

About three months later, Canon publicly confirmed the ransomware attack it suffered in early August, which affected servers ...

Hackers love expired domains

Sometimes, website owners do not want to continue to have a domain name and allow it to ...

Word: How to add the same text to multiple documents with one link

Microsoft Word makes it easy to add the same text to multiple documents. This is especially convenient for text with special formatting, the ...

Black Friday: Cybercriminals are monitoring your shopping

Due to the conditions that have emerged from the pandemic of COVID-19, the online shopping will be particularly high on Black Friday and ...

US fertility: Ransomware attack on the largest fertility network in the USA!

US Fertility, the largest fertility network in the US, announced that some of its systems were encrypted in an ransomware attack that ...