{
	"id": "72c42c11-340c-4832-b5e2-881523160eef",
	"created_at": "2026-04-06T00:15:41.955883Z",
	"updated_at": "2026-04-10T13:12:11.716031Z",
	"deleted_at": null,
	"sha1_hash": "e6f54df6e904dcdca6e8327c9190ff8d71e24b8c",
	"title": "Distribution of Avaddon Ransomware using RigEK in Korea (extension: *.avdn) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1281526,
	"plain_text": "Distribution of Avaddon Ransomware using RigEK in Korea (extension:\r\n*.avdn) - ASEC\r\nBy ATCP\r\nPublished: 2020-06-24 · Archived: 2026-04-05 15:28:54 UTC\r\nIn early June, a new ransomware dubbed Avaddon was introduced in two articles (see link below). Since June 8, the number\r\nof distributed malware using RigEK (Rig Exploit Kit) has increased exponentially in Korea, and Avaddon ransomware is\r\nalso being distributed.\r\n(June 7) sensorstechforum.com/avaddon-virus-remove/\r\n(June 8) www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/\r\nThe following figure shows the number of V3 behavior-detection logs for RigEK. 1153 represents No. of behavior-detection\r\nrule and this figure shows that the number of cases started skyrocketing starting from June 8.\r\nThe number of behavior-based detection cases for RigEK\r\nhttps://asec.ahnlab.com/en/17411/\r\nPage 1 of 5\n\nUsers must be aware of Avaddon ransomware which is among various RigEK-based malwares that being distributed. The\r\nexecution flow is designed to proceed in the order of: “iexplore.exe -\u003e cmd.exe -\u003e wscript.exe -\u003e ransomware.exe” upon\r\nconnecting to a vulnerable web page.\r\nUpon running the ransomware, it checks the keyboard layout and excludes 0x419 0x485 0x444 0x422 (Russian / Sakha /\r\nTatar / Ukrainian) from encryption. Also, it changes the value of the registry below, allowing a malicious file to run with\r\nadministrator authority. \r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAd\r\nIt sends IP info, rcid, encryption key value, name and size of a specific drive, local, language settings, and PC name before\r\nfile infection.\r\nTo allow the ransomware to run continuously, it self-replicates in the %APPDATA%\\Roaming\\microsoft folder and adds the\r\nfollowing registry values: \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\update\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\update\r\nThe command it performs to delete backup file is shown below, and it also deletes the file that exists within the $Recycle\r\nBin folder.\r\nwmic.exe SHADOWCOPY /nointeractive\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nThe infection exclusion folders are as follow:\r\nWindows, Program Files, Users\\All Users, AppData, Microsoft, ProgramData\r\nExtensions and files that are excluded from encryption are as follow:\r\nexe, dll. sys, ini, dat, bin, lnk, avdn, -readme.html, bckgrd.bmp\r\nWhen the PC is infected, the ransom note in a form of “717850-readme.html” is shown to the user and the number info is\r\nvariable.\r\nhttps://asec.ahnlab.com/en/17411/\r\nPage 2 of 5\n\nRansom note (717850-readme.html)\r\nhttps://asec.ahnlab.com/en/17411/\r\nPage 3 of 5\n\nUpon encryption, the ransomware adds .avdn string to the existing extension, and the changed desktop would look like the\r\nscreen below.\r\nChange in desktop after encryption\r\nVarious filenames for the malware were found, and they are as follow:\r\nqwkka.exe\r\npiptu.exe\r\nxi9y8.exe\r\nxysys.exe\r\nhttps://asec.ahnlab.com/en/17411/\r\nPage 4 of 5\n\nonbxo.exe\r\nASEC analysis team can use their in-house dynamic analysis machine (RAPIT) to check the process tree structure and\r\nexecuted the command of Avaddon ransomware as shown below:\r\nProcess Tree structure\r\nAhnLab’s V3 products detect the malware under the following aliases:\r\n[File Detection]\r\nTrojan/Win32.MalPe.R341479\r\n[Behavior Detection]\r\nMalware/MDP.DriveByDownload.M1153\r\nMalware/MDP.Ransom.M2813\r\n[Memory Detection]\r\nWin-Trojan/MalPeP.mexp\r\nSource: https://asec.ahnlab.com/en/17411/\r\nhttps://asec.ahnlab.com/en/17411/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/17411/"
	],
	"report_names": [
		"17411"
	],
	"threat_actors": [],
	"ts_created_at": 1775434541,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6f54df6e904dcdca6e8327c9190ff8d71e24b8c.pdf",
		"text": "https://archive.orkl.eu/e6f54df6e904dcdca6e8327c9190ff8d71e24b8c.txt",
		"img": "https://archive.orkl.eu/e6f54df6e904dcdca6e8327c9190ff8d71e24b8c.jpg"
	}
}