Avaddon ransomware, a Ransomware-as-a-Service (RaaS) platform, combines data encryption with theft and extortion. Emerging in 2019, Avaddon became notably aggressive by June 2020. Affiliates of the service have targeted a broad range of organisations globally through spam and phishing campaigns, often embedding malicious JavaScript files.
When an organisation falls victim to Avaddon ransomware, they face not only data encryption but also threats of public data leaks and potential distributed denial of service (DDoS) attacks designed to compel ransom payments.
Immediate Actions: Contain and Neutralize
- Assess the Attack: Determine if the attack is ongoing. If active, identify and isolate affected devices immediately. This can be done by unplugging network cables or disabling Wi-Fi. For widespread impact, consider isolating entire network segments at the switch level.
- Evaluate Damage: Identify affected endpoints, servers, and operating systems. Check if backups are intact or compromised. Secure an offline copy of any intact backups. Determine which machines remain unaffected, as these will be crucial for recovery.
- Incident Response Plan: If a comprehensive incident response plan is lacking, quickly establish one. Assemble a team including IT admins, senior management, external security experts, cyber insurance contacts, and legal counsel. Consider reporting the incident to law enforcement and data protection authorities. Communicate with users and customers about the incident carefully, avoiding normal communication channels that attackers might monitor.
Next Steps: Investigate
After containment, conduct a thorough investigation to prevent future incidents. Specialist incident response and threat hunting services can be invaluable here.
- Infiltration Duration: Attackers often dwell in networks for days or weeks before launching ransomware. They use this time to explore the network, steal valuable data, and maximise disruption.
- Initial Access Methods: Common entry points include spam campaigns with malicious JavaScript, exposed RDP services, and vulnerable VPNs. Tools like Shodan.io can help identify potential vulnerabilities in your network.
- Compromised Accounts: Attackers aim to secure domain admin accounts and other critical accounts. Tools like Mimikatz are used to steal credentials and escalate privileges.
- Network Scanning: Attackers map out network assets, including servers, endpoints, and backup locations, to maximise their impact.
- Backdoors and Persistence: Attackers install backdoors to maintain access and control over the network, using tools like Cobalt Strike and AnyDesk.
- Data Exfiltration: Before launching ransomware, attackers often exfiltrate sensitive data using tools like WinRar and cloud storage services like Mega.nz.
- Targeting Backups: Attackers may attempt to encrypt, delete, or disable backups. Offline backups are essential for recovery.
- Disabling Security: Attackers try to identify and disable security solutions. Local security management consoles are particularly vulnerable.
- Timing of Attack: Ransomware deployment often occurs during off-hours to avoid detection, with file encryption taking hours to complete.
- Post-Attack Monitoring: Attackers may continue monitoring the network after the ransomware is deployed, looking for recovery efforts or planning additional attacks.
- Extortion Tactics: Besides encryption, attackers may threaten to leak stolen data on sites like avaddongun7rngel[.]onion unless a ransom is paid.
Proactive Measures
- 24/7 Network Monitoring: Identify and respond to early signs of an attack.
- Secure RDP Access: Disable internet-facing RDP or place it behind a VPN with Multi-Factor Authentication (MFA).
- Employee Training: Educate employees about phishing and malicious spam.
- Regular Backups: Follow the 3-2-1 backup rule (three copies, two different systems, one offline).
- Advanced Security Solutions: Use solutions with cloud-hosted management consoles, MFA, and Role-Based Administration.
- Layered Security Approach: Implement defence-in-depth strategies across all endpoints and servers.
- Incident Response Plan: Regularly update and test your incident response plan, seeking external expertise if necessary.
Conclusion
Handling a cyberattack like Avaddon ransomware is a complex and stressful process. Beyond addressing the immediate threat, it is critical to identify the attack’s entry points, learn from any security lapses, and enhance your defenses to prevent future incidents. This comprehensive approach is essential to safeguard your organisation from recurring attacks.