Avaddon ransomware: An in-depth analysis and decryption of infected systems

摘要

Malware is an emerging and popular threat flourishing in the underground economy. The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial benefits at a low risk and with little technical background. One such popular product is ransomware, which is a popular type of malware traded in the underground economy. In ransomware attacks, data from infected systems is held hostage (encrypted) until a ransom is paid to the criminals. In addition, a recent blackmailing strategy adopted by criminals is to leak data online from the infected systems if the ransom is not paid before a given time, producing further economic and reputational damage. In this work, we perform an in-depth analysis of Avaddon, a ransomware offered in the underground economy as an affiliate program business. This threat has been linked to various cyberattacks and has infected and leaked data from at least 62 organizations. Additionally, it also runs Distributed Denial-of-Service (DDoS) attacks against victims that do not pay the ransom. We first provide an analysis of the criminal business model in the underground economy. Then, we identify and describe its technical capabilities, dissecting details of its inner structure. As a result, we provide tools to assist analysis, decrypting and labeling obfuscated strings observed in the ransomware binary. Additionally, we provide empirical evidence of links between this variant and a previous family, suggesting that the same group was behind the development and, possibly, the operation of both campaigns. Finally, we develop a procedure to recover files encrypted by Avaddon. We successfully tested the proposed procedure against different versions of Avaddon. The proposed method is released as an open-source tool so it can be incorporated in existing Antivirus engines and extended to decrypt other ransomware families that implement a similar encryption approach.