Avaddon Ransomware targeting users worldwide through spam campaign

This new Avaddon Ransomware targeting users worldwide through massive spam campaign

The new Avaddon Ransomware has come into highlight which is targeting users worldwide through a massive spam campaign. Avaddon was launched on 04 June 2020 and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible.

How Avaddon Ransomware targeting users

Avaddon ransomware is distributed through email using subjects like "Your new photo?" or "Do you like my photo? containg winking smiley face in the body of the email.

Avaddon spam email

A zip file with name like IMG<number>.jpg.js.zip format is attached in the email. Once the zip is extracted, there is a small 1 kilobyte javascript file masquerading as a JPG photo.

JavaScript file displayed as a JPG

When user clicks on this image file it launches Windows scripting host to run a command launching PowerShell with the execution policy bypass flag. This directs Windows to run the unsigned script in the background without being blocked or displaying any warnings. A file named sava.exe is then downloaded from the IP of 217[.]8[.]117[.]63 into the local %temp% folder and saved as 5203508738.exe, before it’s executed.

Avaddon JScript downloader

After executed, the ransomware will search for data to encrypt and append the .avdn extension to encrypted files.

Files encrypted by Avaddon

A readme file was left on the desktop with the initial ransom message directing victim to a darknet onion address for further decryption information.

Avaddon Ransom Note

Once the victim browses to the darknet website they are required to input a unique encryption ID which is mentoned inside the readme file. Once victim entered that unique encryption ID, a timer begins a count down and displays the monetary demand.

Avaddon TOR payment site

This TOR payment site includes the ransom amount, and instructions on how to pay for a decryptor. The site also provides instructions on multiple methods for obtaining bitcoin, and 24/7 support assistance, via a chat interface. Also included is a QR code and unique bitcoin wallet address for payment. Other sections of the TOR website include a free test decryption, support chat, and a help page illustrated by Harry Potter characters.

Avaddon TOR help page

A security researcher (David Picket) of the cybersecurity firm AppRiver stated in their report that they had blocked over 300,000 emails in just a short period. In the meanwhile, PCrisk published a Avaddon removal guide to secure victims.

Indicators of Compromise

Hashes -

Attachment: 94faa76502bb4342ed7cc3207b3158027807a01575436e2b683d4816842ed65d

Associated files -


In 5 June 2020, Tycoon Ransomware targeted both Windows and Linux Systems. This is a new human-operated ransomware comes into limelight which is being deployed in highly targeted attacks.This ransomware targeting all small to medium size organizations, Institutions in education and software industries since at least December 2019 where threat actors would proceed to encrypt file servers and demands a ransom.
Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post