According to BleepingComputer, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide.

The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world.

The ACSC expanded on the targeting information today, saying that the ransomware gang’s affiliates are targeting entities from a wide range of sectors, including but not limited to government, finance, law enforcement, energy, information technology, and health.

While the FBI only mentions the ongoing attacks, the ACSC also provides a list of countries under attack, including the US, UK, Germany, China, Brazil, India, UAE, France, and Spain, to name just a few.

“The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organisations in a variety of sectors,” the ACSC added [PDF].

“The ACSC is aware of several instances where the Avaddon ransomware has directly impacted organizations within Australia.”

The ACSC also mentions Avaddon threat actors threatening with denial-of-service (DDoS) attacks to persuade victims into paying ransoms (in addition to leaking stolen data and encrypting their system).

However, as the FBI said, no evidence has been found of DDoS attacks following Avaddon ransomware attacks.

The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom.

BleepingComputer first reported about this new trend in October 2020, when ransomware groups began using DDoS attacks against their victims as an additional leverage point.

At the time, the two ransomware operations that were using this new tactic were SunCrypt and RagnarLocker.

Avaddon ransomware samples were first detected in February 2019, and it began recruiting affiliates in June 2020 after it launched a massive spam campaign targeting users worldwide.

Affiliates who join this RaaS operation are responsible for compromising networks to deploy payloads or distribute the ransomware via spam or exploit kits. At the same time, its operators are accountable for developing the malware and operating the TOR payment site.

The Avaddon RaaS operation also asks affiliates to follow a set of rules, one of them being not to go after targets from the Commonwealth of Independent States (CIS).

Avaddon pays each affiliate 65% of ransom payments they bring in, with the operators getting a 35% share. However, as with other RaaS programs, larger affiliates can usually negotiate higher revenue shares depending on the size of their attacks.

The average ransom payment demanded by Avaddon affiliates is roughly 0.73 bitcoins (approximately $41,000) in exchange for a decryption tool (Avaddon General Decryptor).

Avaddon ransomware affiliates are also known for stealing data from their victims’ networks before encrypting systems for double-extortion.

 

Avaddon ransomware operators have been successful in utilizing the double extortion method in order to coerce payments from victims. What is unusual in this instance is the threat of DDoS after their attacks. There wasn’t any evidence of Avaddon using this tactic, so what was the reasoning for the threat?

Most threat groups who announce their plans and tactics actually follow through. Did Avaddon just wanted the fear of a potential DDoS attack to hang over victims after the ransomware attack to pressure them into paying? Most organizations are able to shore up any vulnerabilities and recover with a security firm before a DDoS attack could be carried out, so that isn’t likely.

Avaddon may have just wanted to increase the notoriety of their group as a whole. There isn’t a solid explanation for why Avaddon operators would want to mention a tactic they weren’t going to use, but our engineers will be actively tracking this group to observe their tactics and see how they introduce new methods of attack, if they ever do.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.