Avaddon Ransomware: What Cyberattack Victims Should Do
A dangerous ransomware variant that combines encryption, hijacking and data theft is being peddled as a service to affiliates that are expanding the malware’s reach to a wider range of targets worldwide, security provider Sophos said.
Of particular note, the Avaddon operators have said they will not support attacks on government facilities, healthcare, education and charity organizations, in stark contrast to many of their ransomware co-conspirators. The thinking is the proprietors may be getting pickier about who they allow to buy subscriptions to the malware, Sophos said.
Avaddon Ransomware: Cyberattack Mitigation Checklist
The security specialist has put together a primer to help IT administrators potentially hit by an Avaddon attack. Here’s what to do, what to do next and what to expect if you suspect you’ve been attacked:
Sophos says do this: Contain and neutralize.
- If you suspect the attack is still underway and you don’t have the tools in place to stop it, determine which devices have been impacted and isolate them immediately.
- Assess which endpoints, servers and operating systems were affected and what has been lost.
- If you don’t have a comprehensive incident response plan in place, identify who should be involved in dealing with this incident.
- The attackers may be eavesdropping so don’t use your normal channels of communication.
Sophos says do this next: Investigate
- The attackers have most likely been on your network for a few days or even weeks. Sophos said its incident responders have seen intruder dwell times ranging from 10 to 28 days in Avaddon attacks.
- The attackers could use a variety of different methods to break in your network.
- They will have secured access to domain admin accounts as well as other user accounts.
- They will have scanned your network. They know how many servers and endpoints you have and where you keep your backups, business critical data and applications.
- The attackers are likely to have downloaded and installed back doors that allow them to come and go on your network and install additional tools.
- Avaddon operators will try to exfiltrate corporate data prior to the main ransomware event.
- They will have tried to encrypt, delete, reset or uninstall your backups.
- The attackers will have tried to identify what security solution is used on the network and whether they can disable it. Free default tools, such as Windows Defender, can be disabled instantly by anyone with enough admin rights.
- The process of file encryption, which takes hours, probably took place when no IT admins or security professionals were online to notice, possibly during the middle of the night or on the weekend.
- The ransomware will have been deployed to all your endpoints and any servers that were online at the time of attack providing that is what the attacker wanted. If your servers were encrypted, but not your endpoints, that is because the attacker chose to only target your servers.
- The Avaddon attackers may use the tools they installed earlier to remain in the network to monitor the situation and even your email communications to see how you respond to the release of the ransomware.
- The time spent in your network will likely have allowed the attackers to steal business critical, sensitive and confidential information that they now threaten to publicly expose.
Should the victim decline to pay the ransom, the attacker may bide its time until the victim recovers from the initial attack to launch a second one to show it can keep returning until paid. Also, targets hit by Avaddon affiliates risk seeing their data published on a public “leak site” or sold to other attackers to use, Sophos said.
“It can be tempting to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack,” Sophos wrote. “It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to your security. If you don’t, you run the risk that the same attacker or another one might come and do this to you again next week.”