Search This Blog

Showing posts with label Avaddon. Show all posts

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

New South Wales Labor Party Hit By Avaddon Threat Attackers Demand Ransom


On Wednesday afternoon New South Wales (NSW) police unit has disclosed an apparent ransomware attack on the New South Wales labor party. 

Global cybercriminals group has given a 10 days timeline to the labor party to pay a ransom or else the illicitly accessed credentials will be put into the public domain including driver’s licenses, images of passports, and employment contracts.

According to the data, the ransomware operational group named Avaddon, which emerged in Russia is found to be behind the recent breach. Additionally, for further information Sydney City Police Area Command, has already begun its inquiries against the attack. 

The Avaddon ransomware was originated in the middle of 2020 in an underground forum(where participants exchange information on abusive tactics and engage in the sale of illegal goods and services, which are a form of online social network (OSN). Research suggests that Avaddon has been linked to various malicious activities, including data compromise and leaked credentials of at least 23 organizations as of February this year. 

Further, a research university, Rey Juan Carlos in Spain has published a research paper in which it disclosed that the Avaddon ransomware uses distributed denial-of-service attacks against its victims that denied to pay the ransom. 

“NSW Labor, the company does not want to cooperate with us, so we give them 240 hours to communicate and cooperate with us. If this does not happen before the time counter expires, we will leak valuable company documents…” 

“…We have a large amount of data on contracts, a lot of confidential information, confidential contracts, driver’s licenses, passports, employment contracts, information about employees, resumes, and more,” Avaddon said in a post on its website. 

Prior to this cyberattack, Austrian high profile organizations have been targeted including the email systems of the Commonwealth and West Australian parliaments that were taken offline this year. Now, a major political party has become a victim of cyber threats; however, this is the first time when cyber attackers have tried to extort an Australian political party for their financial advantages. 

Josh Lemon, managing director of digital forensics and incident response at business advisory firm Ankura, said most of the screenshots contained keywords such as “sensitive” and “confidential”. 

“Although it’s a little bit abstract, as someone who isn’t the victim, it’s intended to provide proof to the actual victim,” Mr. Lemon added.