Sophos: Avaddon Ransomware Becoming More Prominent, Aggressive

Dwell times range from 10 days to four weeks in these attacks.

Edward Gately, Senior News Editor

May 24, 2021

4 Min Read
Paying ransomware

Avaddon ransomware, ransomware-as-a-service (RaaS) that combines encryption with data theft and extortion, poses a serious threat to organizations globally.

That’s according to the Sophos Rapid Response team. It has published a guide for IT teams outlining what they can expect if they are hit with Avaddon ransomware. The guide aims to help IT admins and others understand what to look out for. Moreover, it outlines the immediate action they can take to strengthen security.

Avaddon ransomware has been around since 2019, but has become more prominent and aggressive since June 2020.

Peter Mackenzie is incident response manager at Sophos.


Sophos’ Peter Mackenzie

“Affiliates or customers of the service have been observed deploying Avaddon to a wide range of targets in multiple countries, often through malicious spam and phishing campaigns that carry booby-trapped JavaScript files,” he said. “Organizations hit with Avaddon ransomware face more than just data encryption. There is also the threat of public data exposure on the Avaddon leak site and, more recently, the risk of distributed denial of service (DDoS) attacks disrupting operations. These tactics are designed to increase pressure on victims to the ransom demanded.”

If You’ve Been Hit

If an organization suspects it’s been hit and it doesn’t have the tools in place to stop it, it should determine which devices have been impacted and isolate them immediately, Mackenzie said.

“The easiest option is to simply unplug the network cable or turn off the Wi-Fi adapter,” he said. “If the damage is more widespread than a few devices, consider doing this at the switch level and taking entire network segments offline instead of individual devices. Only shut down devices if you can’t disconnect the network.”

Next steps include assessing damage. Also, if you don’t have an incident response plan in place, determine who should be involved in dealing with the incident, Mackenzie said.

“Last, but definitely not least: you’ll want to talk to people about what’s happening,” he said. “But the attackers may be eavesdropping, so don’t use your normal channels of communication. If the intruders have been in your network for awhile, they’ll probably have access to email, for instance.”

Sophos incident responders have seen intruder dwell times ranging from 10 days to four weeks in attacks that involved the release of Avaddon ransomware.

Avaddon Investigation Tips

When investigating, it’s important to keep in mind:

  • The attackers have most likely been in your network for a few days or even weeks.

  • The attackers could use a variety of methods to break into your network.

  • They have secured access to domain admin accounts, as well as other user accounts.

  • The attackers will have scanned your network. They know how many servers and endpoints you have. In addition, they know where you keep your backups, business-critical data and applications.

  • They are likely to have downloaded and installed backdoors. That allows them to come and go on your network, and install additional tools.

  • They will try to exfiltrate corporate data prior to the main ransomware event.

  • They will have tried to identify the security solution is used on the network and whether they can disable it.

In addition, the launch of the ransomware is not the end, Mackenzie said.

“The Avaddon attackers may use the tools they installed earlier to remain in the network to monitor the situation and even your email communications to see how you respond to the release of the ransomware,” he said. “An email to the CEO stating you will be OK because they didn’t encrypt the backups on server X could be a disaster if the attacker read it and still had access to that server. The attacker may also wait until you recover to then launch a second attack to really emphasize that they can keep doing this until you pay.”

Another Tactic

Avaddon ransomware attackers have another tactic designed to pressure targets into paying, Mackenzie said. They launch a DDoS attack in an attempt to disrupt operations and communications.

Sophos suggests proactive steps to enhance your IT security for the future. Those include being aware of the indicators of attack to stop ransomware attacks before they’re launched. In addition, educate employees on what to look for in terms of phishing and malicious spam. Furthermore, introduce strong security policies.

Having a layered defense-in-depth security model is important.

“Dealing with a cyberattack is a stressful experience,” Mackenzie said. “It can be tempting to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to your security. If you don’t, you run the risk that the same attacker or another one might come and do this to you again next week.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like