# Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted **[trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted)** _Additional insights by Monte De Jesus, Mohammed Malubay, and Alyssa Christelle Ramos_ _Updated on July 23, 2020 3 AM EDT with added data on new ransomware families._ This past couple of months, [ransomware has remained a formidable threat as new families, techniques, and targets continue emerging at](https://www.trendmicro.com/vinfo/US/security/definition/ransomware) every turn. Recently, we witnessed the rise of new ransomware family Avaddon. We also examined techniques utilized by some ransomware variants and the industries affected by these attacks. Additionally, we included our latest figures about ransomware families with the most detections, new ransomware families, and the most affected industries and segments. ## Avaddon ransomware [The new ransomware called Avaddon (detected by Trend Micro as Ransom.Win32.AVADDON.YJAF-A) has been observed at large. A trojan](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.AVADDON.YJAF-A) [(detected by Trend Micro as Trojan.JS.AVADDON.YJAF-A) downloads the ransomware from malicious sites and runs them on the system.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) [This has been reported in a series of twitter posts by TMMalAnalyst.](https://twitter.com/tmmalanalyst/status/1270197110768406528) The ransomware is propagated through emails with an attachment named IMG{6 random number}.jpg.js.zip that contains a JavaScript file named IMG{6 random number}.jpg.js. Figure 1. Sample email for Avaddon campaign As seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign also follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users, thus prompting them to open the message and download the attachment. Most of these emails have photo-related subjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now become widely available: Look at this photo! Photo just for you You look good here ----- o e t s p oto I like this photo Is this your photo? Is this you? My favourite photo You like this photo? After the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload. After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s wallpaper has been automatically changed to an image that states that “all your files have been encrypted” and refers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}\{random numbers}readme.html format): Figure 2. User’s wallpaper as modified by the Avaddon attack The ransom note gives instructions on how the affected user can recover the encrypted files. Figure 3. Avaddon ransom note This ransomware encrypts files found in the following folders: Program Files\Microsoft\Exchange Server Program Files (x86)\Microsoft\Exchange Server Program Files\Microsoft SQL Server Program Files (x86)\Microsoft SQL Server It adds the following processes that deletes backup copies of the system making it difficult to restore: ----- c e e S O CO / o te act e wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures vssadmin.exe Delete Shadows /All /Quiet It terminates services and processes, many of which are related to scanning, storing and retrieving files, and scheduling tasks. Below are some examples: Terminated services: ccEvtMgr ccSetMgr Culserver dbeng8 dbsrv12 DefWatch Intuit.QuickBooks.FCS msmdsrv QBCFMonitorService QBIDPService Terminated processes: 360doctor.exe 360se.exe axlbridge.exe BCFMonitorService.exe Culture.exe Defwatch.exe fdhost.exe fdlauncher.exe GDscan.exe httpd.exe It terminates itself if the Windows Locale ID is equal to the following: 419 = Russian 422 = Ukrainian It terminates itself if machine is set to the following keyboard layout language: 419 = Russian 485 = Yakut (Russia) 444 = Tatar 422 = Ukrainian It is worth mentioning that the technique of avoiding systems from particular countries has similarly been observed in MedusaLocker ransomware campaigns. [For a full list of processes and services and for more details about the ransomware, please refer to our report.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.AVADDON.YJAF-A) ## New techniques spotted In recent months, there have also been updates on the techniques used by some ransomware variants. For example, Netwalker ransomware [can now be run filelessly through reflective dynamic-link library (DLL) injection (aka reflective DLL loading). This technique injects the DLL from](https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/) [memory rather than from disk. Although the technique itself is not novel (it has been previously used to deploy ColdLock ransomware), its use](https://blog.trendmicro.com/trendlabs-security-intelligence/targeted-ransomware-attack-hits-taiwanese-organizations/) by Netwalker is new. Another notable development is Ragnar Locker’s deployment of virtual machines to evade detection by antivirus software. According to [Sophos, this attack vector has never been used with any ransomware type before. In the past, Ragnar Locker exploited managed service](https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/) providers or attacks on Windows Remote Desktop Protocol (RDP) connections. ## Manufacturing, logistics, and energy sectors as targets ----- a so a e a et es a e bee used to ta get se e a co pa es u de t e a u actu g, og st cs, a d e e gy secto s t e past o t s A variant of [Ekans ransomware (detected by Trend Micro as Ransom.Win32.EKANS.D) has been wielded in targeted attacks against](https://securityboulevard.com/2020/06/ekans-strikes-again-honda-and-enel-taken-down-by-ransomware/) [manufacturing companies. As observed by Dragos, there is a particular level of intentionality that is evident in the industrial processes](https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/) terminated in past Ekans attacks, making them a threat that organizations with industrial control systems (ICS) should keep an eye out for. [Nefilim, a ransomware that follows the recent trend of ransomware types that not only encrypt files but also steal data, has been witnessed to](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/updated-analysis-on-nefilim-ransomware-s-behavior) attack logistics companies. Investigations into these attacks have led us to uncover more about the recently discovered ransomware’s behavior, particularly with regard to its data theft capabilities. We found out that this data theft begins weeks or even months before the ransomware is deployed, and that the attacks use several tools (both malicious and non-malicious) to deploy processes and move through the network. In related news, operators behind Sodinokibi published, on a Tor webpage, 1,280 files of what they claim to be the passport details and other [documents of staff members of an electric service provider. A few weeks before this, the ransomware attack struck the company, thereby](https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/) interrupting their operations. On the other hand, another ransomware which we dubbed as ColdLock (detected by Trend Micro as Ransom.MSIL.COLDLOCK.YPAEA) targeted a region, rather than just a particular industry. Specifically, it launched attacks on [Taiwanese organizations, aiming to target](https://blog.trendmicro.com/trendlabs-security-intelligence/targeted-ransomware-attack-hits-taiwanese-organizations/) databases and email servers for encryption. ## Ransomware figures for May For May, WannaCry emerged as the top ransomware family with 15,496 detections. WannaCry’s retention of the highest number of detections can be attributed to its worm component and its operators’ persistence in trying to propagate the malware regularly. We foresee that WannaCry will continue having such a high number of detections until either a new, massive ransomware comes into being, or the sources for WannaCry are found and removed. Trailing behind are Locky with 1,532 detections and Cerber with 392 detections. Indeed, these ransomware families have consistently been on the top three since January of this year. They were also on the top three for last year’s total ransomware detections. Figure 4. Ransomware families with the most detections (May 2020) In the same month, the industries with the most detections were government (1,870), manufacturing (1,599), and healthcare (1,217). ----- Figure 5. Top industries for ransomware detections (May 2020) For segments, enterprise had the highest number of detections with over 18,000. Meanwhile, detections in the consumer segment numbered over 4,000, compared with over 1,000 detections in small and medium-sized businesses (SMB). Figure 6. Top segments for ransomware detections (May 2020) As for ransomware families, five new ones were detected in May, including the aforementioned ransomware ColdLock. One of these new families is BlueCheeser (detected by Trend Micro as Ransom.MSIL.BLUECHEESER.A), a ransomware family that appends encrypted files [with the .himr extension and instructs affected users to pay US$400 to decrypt files.](https://www.pcrisk.com/removal-guides/16965-bluecheeser-ransomware) ----- ot e s Co o a oc (detected by e d c o as a so 3 CO O OC ), a so o [as Co d](https://www.2-spyware.com/remove-corona-lock-ransomware.html) o dC y s a so a e, propagated through coronavirus-themed spam, renames encrypted files with .corona.lock extension. A different ransomware family named [PonyFinal (detected by Trend Micro as Ransom.Java.PONYFINAL.A) is a Java-based, human-operated ransomware that targets Microsoft](https://threatpost.com/ponyfinal-ransomware-enterprise-servers/156083/) systems. Lastly, GonnaCry (detected by Trend Micro as Ransom.Linux.GONNACRY.A) is a ransomware that targets Linux systems. Compared with detections in April, the number of new ransomware families detected has decreased. Figure 7. Number of new ransomware families (January to May 2020) ## Robust defense against ransomware Interrupted operations, lost data, and the publication of confidential company data are some of the ways that a ransomware attack can put a company at risk. However, companies can still find ways to protect their organizations from these attacks. [Here are some of the best practices for users to protect systems from ransomware:](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-ransomware) [Back up files using the 3-2-1 rule. This rule involves regularly creating three backups in two different formats while storing one copy off-](https://blog.trendmicro.com/trendlabs-security-intelligence/world-backup-day-the-3-2-1-rule/?_ga=2.69332048.1941080928.1587017369-534757267.1571299636) site. [Periodically patch and update applications and software. This ensures that vulnerabilities are addressed. For zero-day vulnerabilities,](https://www.trendmicro.com/vinfo/us/security/definition/zero-day-vulnerability) [deploy virtual patching.](https://www.trendmicro.com/vinfo/us/security/definition/zero-day-vulnerability) Enable sandbox analysis. Through this, malicious files can be run in an isolated environment. Therefore, these files can be monitored without putting the system at risk. Enable advanced detection capabilities for new ransomware families like machine learning or behavior monitoring technologies within your solutions. Here are some security solutions that are recommended against ransomware: [Trend Micro™ XDR for Users – for earlier detection of threats before they can compromise endpoints and other layers of the system](https://www.trendmicro.com/en_us/business/products/detection-response/xdr.html?utm_campaign=PRLA2019_Corporate_XDR&utm_medium=VURL&utm_source=General&utm_content=XDR) T d Mi A O ™ f ti bl i i ht d t li d i ibilit th t k ----- e d c o eep [sco e y](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) a specto o b oc g a d a a y g a c ous e a attac e ts ## Indicators of compromise **Avaddon Ransomware** **SHA-256** **Trend Micro pattern detection** **Trend Micro machine lear** **detection** f3f4d4e4c6704788bc8954ca6f6ddc61b006aba89d5d384794f19424a3d24132 Ransom.Win32.AVADDON.YJAFA Troj.Win32.TRX.XXPE50FF Troj.Win32.TRX.XXPE50FF Troj.Win32.TRX.XXPE50FF Troj.Win32.TRX.XXPE50FF 6616abb725c24307f4f062996edc5150079bc477acd4236a4f450e5835a20c62 Ransom.Win32.AVADDON.YJAFA 4f198228806c897797647eecce0f92d4082476b82781183062a55c417c0bb197 Ransom.Win32.AVADDON.YJAFA 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 Ransom.Win32.AVADDON.YJAFA b8d6fd333973adb640649cab8c9e7575a17b5a8bc382e3335400d43a606a6253 [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable a481d2b64c546f68d55e1fd23e57ada80b6b4e2c3dd7b0466380dba465f3d318 [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable 5a47a89a870d7db244c76da43887e33c9ee4b26f9972878b1a6616be0302439f [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable 12bc439445f10a04b574d49ed8ccc405e2dfaa493747585439643e8a2129e5e5 [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable cc4d665c468bcb850baf9baab764bb58e8b0ddcb8a8274b6335db5af86af72fb [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable ea93ce421be8a2eba34752b8e8da4d241d671ef808a0f8e55a04ceca8ad5113f [Trojan.JS.AVADDON.YJAF-A](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.JS.AVADDON.YJAF-A) Not Applicable **URLs** hxxp://217.8.117.63/jpr.exe hxxp://217.8.117.63/sava.exe hxxp://myphotoload.com/photo.php HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. [Posted in Cybercrime & Digital Threats](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats) **2021 Midyear Cybersecurity Report** In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. [View the report](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/attacks-from-all-angles-2021-midyear-security-roundup) **Trend Micro Security Predictions for 2022: Toward a New Momentum** In 2022, decision-makers will have to contend with threats old and new bearing down on the increasingly interconnected and perimeterless environments that define the postpandemic workplace. [View the 2022 Trend Micro Security Predictions](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2022) -----