The operators of the Avaddon ransomware appear to be tooling up to conduct so-called double extortion cyber attacks, a relatively new tactic whereby cyber criminal gangs not only hold their victims’ encrypted data to ransom, but threaten to leak it to the general public unless they are paid.
High-profile victims of such attacks are already known to include the likes of printing and imaging technology supplier Canon, celebrity law firm Grubman, services firm Allied Universal, medical research outfit HMR, security insurance provider Chubb, and electronics firm LG, among many others.
The double extortion tactic was popularised by the operators of Maze, but is now spreading to other criminal groups, and earlier in August, BleepingComputer’s Lawrence Abrams revealed compelling evidence purporting to show that the operators of Avaddon had set up a dark web site to publicly leak data stolen from its victims, a la Maze and ReVIL/Sodinokibi.
Now, Cofense Intelligence cyber threat analyst Aaron Riley has confirmed new attack patterns that confirm the Avaddon gang is expanding into data exfiltration.
The ransomware first came to widespread attention in June 2020, when it was spotted hitting a broad group of targets via the Trik botnet via phishing emails. Like many other strains, it is run as a ransomware-as-a-service (RaaS) business.
“The exfiltration of sensitive data can be damaging to an organisation and levy heavy legal, financial and reputational consequences, which is why threat actors use it to leverage extortion payment,” he wrote in a new disclosure notice. “With these most recent developments, Avaddon has joined a few other ransomware families in adding data exfiltration to use as leverage for extortion payments.”
Riley said he was now seeing a campaign in which Avaddon is combined with an information stealer, strongly suggesting that its operators are preparing to make good use of their new dark web domain. This campaign is successfully able to evade email security solutions and is targeting several different industries, including energy, healthcare, insurance, manufacturing, mining and retail.
A typical Avaddon phish as identified by Cofense spoofs a well-known shipping brand – in this case FedEx. If the target clicks on the malicious embedded link sent to them, they will download the malicious Smoke Loader program, which in turn acts as a delivery mechanism for both Avaddon and Racoon Stealer.
Riley noted that considering Avaddon is run as a RaaS business, it showed a certain consistency that its operators are employing Racoon Stealer, which is run as a malware-as-a-service (MaaS) to add new features to their attacks. He added that using a MaaS sample to steal data suggested the Avaddon gang has the ability to plug-and-play with other MaaS families if they need or want to.
He said that double extortion attacks were particularly dangerous at present because typically, an organisation can prepare itself for ransomware by being extra diligent over its data backups – this is quite evidently now no longer enough if the data is also being stolen and leaked, and also raises the possibility of legal action by the data subjects and regulators, as well as reputational damage.
“As Avaddon sees increasing success from these efforts, we can expect more ransomware operators to follow suit,” said Riley. “In conclusion, we predict that the most dangerous part of ransomware to organisations soon will be data exfiltration.”