# New Avaddon Ransomware launches in massive smiley spam campaign **[bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/](https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) June 8, 2020 02:14 PM 0 With a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide. Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible. As its first known attack, the Avaddon Ransomware is being distributed in a spam campaign [reminiscent of February's Nemty Ransomware Love Letter campaign.](https://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/) ## You like my photo? In a wave of emails using subjects like "Your new photo?" or "Do you like my photo?" containing nothing but a winking smiley face, a JavaScript downloader for the Avaddon ransomware is being distributed. ----- **Example Avaddon spam email** In a [related report shared with BleepingComputer, the cybersecurity firm Appriver stated](https://appriver.com/resources/blog/june-2020/phorphiextrik-botnet-delivers-avaddon-ransomware) that the Phorphiex/Trik Botnet is distributing the malicious emails. This campaign is not small, as AppRiver security researcher David Picket told us that they had blocked over 300,000 emails in just a short period. Attached to these emails is a JavaScript file masquerading as a JPG photo with names like IMG123101.jpg. Before you ask why someone would open a JavaScript file that was emailed to them, it is important to remember that Windows hides file extension by default, even though it is a [known security risk.](https://www.bleepingcomputer.com/news/microsoft/hiding-windows-file-extensions-is-a-security-risk-enable-now/) That means to the recipient, it would just appear as a .jpg file, as shown below. ----- **JavaScript file** **displayed as a JPG** When executed, the JS attachment will launch both a PowerShell and Bitsadmin command to download the Avaddon ransomware executable to the %Temp% folder and run it. **Avaddon JScript downloader** In the sample tested by BleepingComputer, once executed, the ransomware will search for data to encrypt and append the .avdn extension to encrypted files. ----- **Files encrypted by Avaddon** In each folder, a ransom note named [id]-readme.html will also be created. This ransom note contains a link to the TOR payment site and a unique victim ID used to login to the site. ----- **Avaddon Ransom Note** **(Click to enlarge)** This TOR payment site includes the ransom amount, which in our cause was $900, and instructions on how to pay for a decryptor. ----- **Avaddon TOR payment site** Other sections of the TOR site include a support chat, free test decryption, and a help page illustrated by Harry Potter characters. ----- **Avaddon TOR help page** [Unfortunately, ID-Ransomware creator Michael Gillespie has analyzed the ransomware and](https://twitter.com/demonslay335) stated that it is secure and cannot be decrypted for free. ## More to come In advertisements posted to Russian-speaking hacker forums at the beginning of the month, Avaddon has stated that they are a new Ransomware-as-an-Affiliate (RaaS) program. ----- **Avaddon advertisement on dark web** A RaaS program is when the ransomware creator is responsible for the development of the malware and the operation of the TOR payment site. Affiliates who join the program are responsible for distributing the ransomware via spam, compromising networks, and exploit kits. As part of this arrangement, Avaddon is paying affiliates 65% of any ransom payments they bring in, and the Avaddon operators will receive 35%. Larger affiliates are commonly able to negotiate a higher revenue share depending on the size of their attacks. As is typical with RaaS programs, Avaddon has a series of rules that affiliates must follow when distributing the ransomware. The most common rule is that they cannot target victims in the [Commonwealth of Independent States (CIS).](https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States) It is forbidden to work in the CIS countries (AZ, AM, BY, KZ, KG, MD, RU, TJ, UZ, UA, GE, TM) It is forbidden to indicate or pass on to third parties the address of the admin panel on the ----- .onion network. It is forbidden to upload .exe to unverified scanners that merge AV labs. Now that the Avaddon creators have started accepting applications, we should expect to see distribution increase and more advanced attacks to occur. ### Related Articles: [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) ## IOCs ### Hashes: ``` Attachment: 94faa76502bb4342ed7cc3207b3158027807a01575436e2b683d4816842ed65d Avaddon: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 Associated files: IMG123101.jpg.js.zip IMG123101.jpg.js %temp%\97459754.exe %temp%\646246465.exe [id]-readme.html Ransom note text: ``` ----- ``` Your network has been infected by Avaddon All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software - Avaddon General Decryptor. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page Download Tor browser - https://www.torproject.org/ Install Tor browser Open link in Tor browser - avaddonbotrxmuyl.onion Follow the instructions on this page Your ID: XXX DO NOT TRY TO RECOVER FILES YOURSELF! DO NOT MODIFY ENCRYPTED FILES! OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! ``` [Avaddon](https://www.bleepingcomputer.com/tag/avaddon/) [Hacker Forum](https://www.bleepingcomputer.com/tag/hacker-forum/) [RaaS](https://www.bleepingcomputer.com/tag/raas/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Smiley](https://www.bleepingcomputer.com/tag/smiley/) [Wink](https://www.bleepingcomputer.com/tag/wink/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/facebook-sues-companies-for-registering-impostor-domains/) [Next Article](https://www.bleepingcomputer.com/news/security/us-energy-providers-hit-with-new-malware-in-targeted-attacks/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----