{
	"id": "b909eb8e-5505-44b0-a5f8-c0ab2e2dbb1a",
	"created_at": "2026-04-06T00:12:21.899949Z",
	"updated_at": "2026-04-12T02:21:22.926688Z",
	"deleted_at": null,
	"sha1_hash": "86b15eda326c51a03fcac927eaf8d406bc6fc82f",
	"title": "Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 536136,
	"plain_text": "Ransomware Report: Avaddon and New Techniques Emerge,\r\nIndustrial Sector Targeted\r\nArchived: 2026-04-02 11:58:01 UTC\r\nAdditional insights by Monte De Jesus, Mohammed\r\nMalubay, and Alyssa Christelle Ramos\r\nUpdated on July 23, 2020 3 AM EDT with added data on new ransomware families.\r\nThis past couple of months, ransomware has remained a formidable threat as new families, techniques, and targets\r\ncontinue emerging at every turn. Recently, we witnessed the rise of new ransomware family Avaddon. We also\r\nexamined techniques utilized by some ransomware variants and the industries affected by these attacks.\r\nAdditionally, we included our latest figures about ransomware families with the most detections, new ransomware\r\nfamilies, and the most affected industries and segments.\r\nAvaddon ransomware\r\nThe new ransomware called Avaddon (detected by Trend Micro as Ransom.Win32.AVADDON.YJAF-A) has been\r\nobserved at large.  A trojan (detected by Trend Micro as Trojan.JS.AVADDON.YJAF-A) downloads the\r\nransomware from malicious sites and runs them on the system. This has been reported in a series of twitter posts\r\nby TMMalAnalyst.\r\nThe ransomware is propagated through emails with an attachment named IMG{6 random number}.jpg.js.zip that\r\ncontains a JavaScript file named IMG{6 random number}.jpg.js.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 1 of 11\n\nFigure 1. Sample email for Avaddon campaign\r\nAs seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign\r\nalso  follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users,\r\n thus prompting them to open the message and download the attachment. Most of these emails have photo-related\r\nsubjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now\r\nbecome widely available:\r\nLook at this photo!\r\nPhoto just for you\r\nYou look good here\r\nI love this photo\r\nI like this photo\r\nIs this your photo?\r\nIs this you?\r\nMy favourite photo\r\nYou like this photo?\r\nAfter the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line\r\ntool to download and run the ransomware payload. After this, the affected users will see that the ransomware has\r\nencrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s\r\nwallpaper has been automatically changed to an image that states that “all your files have been encrypted” and\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 2 of 11\n\nrefers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}\\{random\r\nnumbers}-readme.html format):\r\nFigure 2. User’s wallpaper as modified by the Avaddon attack\r\nThe ransom note gives instructions on how the affected user can recover the encrypted files.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 3 of 11\n\nFigure 3. Avaddon ransom note\r\nThis ransomware encrypts files found in the following folders:\r\nProgram Files\\Microsoft\\Exchange Server\r\nProgram Files (x86)\\Microsoft\\Exchange Server\r\nProgram Files\\Microsoft SQL Server\r\nProgram Files (x86)\\Microsoft SQL Server\r\nIt adds the following processes that deletes backup copies of the system, making it difficult to restore:\r\nwmic.exe SHADOWCOPY /nointeractive\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 4 of 11\n\nvssadmin.exe Delete Shadows /All /Quiet\r\nIt terminates services and processes, many of which are related to scanning, storing and retrieving files, and\r\nscheduling tasks. Below are some examples:\r\nTerminated services:\r\nccEvtMgr\r\nccSetMgr\r\nCulserver\r\ndbeng8\r\ndbsrv12\r\nDefWatch\r\nIntuit.QuickBooks.FCS\r\nmsmdsrv\r\nQBCFMonitorService\r\nQBIDPService\r\nTerminated processes:\r\n360doctor.exe\r\n360se.exe\r\naxlbridge.exe\r\nBCFMonitorService.exe\r\nCulture.exe\r\nDefwatch.exe\r\nfdhost.exe\r\nfdlauncher.exe\r\nGDscan.exe\r\nhttpd.exe\r\nIt terminates itself if the Windows Locale ID is equal to the following:\r\n419 = Russian\r\n422 = Ukrainian\r\nIt terminates itself if machine is set to the following keyboard layout language:\r\n419 = Russian\r\n485 = Yakut (Russia)\r\n444 = Tatar\r\n422 = Ukrainian\r\nIt is worth mentioning that the technique of avoiding systems from particular countries has similarly been\r\nobserved in MedusaLocker ransomware campaigns.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 5 of 11\n\nFor a full list of processes and services and for more details about the ransomware, please refer to our report.\r\nNew techniques spotted\r\nIn recent months, there have also been updates on the techniques used by some ransomware variants. For\r\nexample, Netwalker ransomware can now be run filelessly through reflective dynamic-link library (DLL) injection\r\n(aka reflective DLL loading). This technique injects the DLL from memory rather than from disk.  Although the\r\ntechnique itself is not novel (it has been previously used to deploy ColdLock ransomware), its use by Netwalker is\r\nnew.\r\nAnother notable development is Ragnar Locker’s deployment of virtual machines to evade detection by antivirus\r\nsoftware. According to Sophosnews article, this attack vector has never been used with any ransomware type\r\nbefore. In the past, Ragnar Locker exploited managed service providers or attacks on Windows Remote Desktop\r\nProtocol (RDP) connections.\r\nManufacturing, logistics, and energy sectors as targets\r\nRansomware varieties have been used to target several companies under the manufacturing, logistics, and energy\r\nsectors in the past months. A variant of Ekans ransomware (detected by Trend Micro as\r\nRansom.Win32.EKANS.D) has been wielded in targeted attacks against manufacturing companies. As observed\r\nby Dragosnews article, there is a particular level of intentionality that is evident in the industrial processes\r\nterminated in past Ekans attacks, making them a threat that organizations with industrial control systems (ICS)\r\nshould keep an eye out for.\r\nNefilimnews- cybercrime-and-digital-threats, a ransomware that follows the recent trend of ransomware types that\r\nnot only encrypt files but also steal data, has been witnessed to attack logistics companies. Investigations into\r\nthese attacks have led us to uncover more about the recently discovered ransomware’s behavior, particularly with\r\nregard to its data theft capabilities. We found out that this data theft begins weeks or even months before the\r\nransomware is deployed, and that the attacks use several tools (both malicious and non-malicious) to deploy\r\nprocesses and move through the network.\r\nIn related news, operators behind Sodinokibi published, on a Tor webpage, 1,280 files of what they claim to be the\r\npassport details and other documents of staff members of an electric service provider. A few weeks before this, the\r\nransomware attack struck the company, thereby interrupting their operations.\r\nOn the other hand, another ransomware which we dubbed as ColdLock (detected by Trend Micro as\r\nRansom.MSIL.COLDLOCK.YPAE-A) targeted a region, rather than just a particular industry. Specifically, it\r\nlaunched attacks on Taiwanese organizations, aiming to target databases and email servers for encryption.\r\nRansomware figures for May\r\nFor May, WannaCry emerged as the top ransomware family with 15,496 detections. WannaCry’s retention of the\r\nhighest number of detections can be attributed to its worm component and its operators’ persistence in trying to\r\npropagate the malware regularly.  We foresee that WannaCry will continue having such a high number of\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 6 of 11\n\ndetections until either a new, massive ransomware comes into being, or the sources for WannaCry are found and\r\nremoved.\r\nTrailing behind are Locky with 1,532 detections and Cerber with 392 detections. Indeed, these ransomware\r\nfamilies have consistently been on the top three since January of this year. They were also on the top three for last\r\nyear’s total ransomware detections.\r\nFigure 4. Ransomware families with the most detections (May 2020)\r\nIn the same month, the industries with the most detections were government (1,870), manufacturing (1,599), and\r\nhealthcare (1,217).\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 7 of 11\n\nFigure 5. Top industries for ransomware detections (May 2020)\r\nFor segments, enterprise had the highest number of detections with over 18,000. Meanwhile, detections in the\r\nconsumer segment numbered over 4,000, compared with over 1,000 detections in small and medium-sized\r\nbusinesses (SMB).\r\ntrendmicro -article\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 8 of 11\n\nFigure 6. Top segments for ransomware detections (May 2020)\r\nAs for ransomware families, five new ones were detected in May, including the aforementioned ransomware\r\nColdLock. One of these new families is BlueCheeser (detected by Trend Micro as\r\nRansom.MSIL.BLUECHEESER.A), a ransomware family that appends encrypted files with the .himr extension\r\nand instructs affected users to pay US$400 to decrypt files.\r\nAnother is CoronaLock (detected by Trend Micro as Ransom.Win32.CORONALOCK.A), also known as\r\nCovidWorldCry. This ransomware, propagated through coronavirus-themed spam, renames encrypted files with\r\n.corona.lock extension. A different ransomware family named PonyFinal (detected by Trend Micro as\r\nRansom.Java.PONYFINAL.A) is a Java-based, human-operated ransomware that targets Microsoft systems.\r\nLastly, GonnaCry (detected by Trend Micro as Ransom.Linux.GONNACRY.A) is a ransomware that targets Linux\r\nsystems. Compared with detections in April, the number of new ransomware families detected has decreased.\r\nFigure 7. Number of new ransomware families (January to May 2020)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 9 of 11\n\nRobust defense against ransomware\r\nInterrupted operations, lost data, and the publication of confidential company data are some of the ways that a\r\nransomware attack can put a company at risk. However, companies can still find ways to protect their\r\norganizations from these attacks.\r\nHere are some  of the best practicesnews- cybercrime-and-digital-threats for users to protect systems from\r\nransomware:\r\nBack up files using the 3-2-1 rule. This rule involves regularly creating three backups in two different\r\nformats while storing one copy off-site.\r\nPeriodically patch and update applications and software. This ensures that vulnerabilities are addressed.\r\nFor zero-day vulnerabilities, deploy virtual patching.\r\nEnable sandbox analysis. Through this, malicious files can be run in an isolated environment. Therefore,\r\nthese files can be monitored without putting the system at risk.\r\nEnable advanced detection capabilities for new ransomware families like machine learning or behavior\r\nmonitoring technologies within your solutions.\r\nHere are some security solutions that are recommended against ransomware:\r\nTrend Micro™ XDR for Usersproducts – for earlier detection of threats before they can compromise\r\nendpoints and other layers of the system\r\nTrend Micro Apex One™products – for actionable insights and centralized visibility across the network\r\nTrend Micro Deep Discovery™ Email Inspectorproducts – for blocking and analyzing malicious email\r\nattachments\r\nIndicators of compromise\r\nAvaddon Ransomware\r\nURLs\r\nhxxp://217.8.117.63/jpr.exe\r\nhxxp://217.8.117.63/sava.exe\r\nhxxp://myphotoload.com/photo.php\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 10 of 11\n\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-e\r\nmerge-industrial-sector-targeted\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted"
	],
	"report_names": [
		"ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted"
	],
	"threat_actors": [],
	"ts_created_at": 1775434341,
	"ts_updated_at": 1775960482,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86b15eda326c51a03fcac927eaf8d406bc6fc82f.pdf",
		"text": "https://archive.orkl.eu/86b15eda326c51a03fcac927eaf8d406bc6fc82f.txt",
		"img": "https://archive.orkl.eu/86b15eda326c51a03fcac927eaf8d406bc6fc82f.jpg"
	}
}