By Aaron Riley, Cofense Intelligence
A new attack pattern indicates that another ransomware family is expanding into data exfiltration. Ransomware traditionally forces victims to send a payment to recover their encrypted data. However, a growing number of ransomware operations is adding pressure using data exfiltration – victims who do not pay the ransom will have their data exposed publicly. Avaddon, a ransomware as a service (RaaS) that emerged this summer, is the latest family to join this trend, and its operators are almost certainly gearing up to leak the sensitive data of victims who do not quickly pay.
Avaddon caught our attention in June when the Trik botnet started sending it to a broad set of targets, signaling threat actors’ willingness to cast a wider net in search of ransom payments. More recently, security researchers indicated that the operators of Avaddon set up a data leak website to publish stolen data if victims fail to pay the ransom. Cofense Intelligence is now seeing a campaign that combines Avaddon with an information stealer, indicating that threat actors are preparing to make use of this new extortion feature. The campaign has successfully evaded secure email gateways (SEGs) and targets several different industries, as discussed in detail below.
Figure 1: Avaddon ransomware data dump webpage.
Smoke Loader Delivers Avaddon and Raccoon Stealer
The email in Figure 2 is part of a campaign that attempts to encrypt the victim’s computer with Avaddon ransomware. Spoofing the FedEx brand and using the shipping theme, this phishing campaign starts with a malicious embedded link that has evaded some SEGs. When a user clicks the link, it downloads a malicious program, Smoke Loader which, in turn, delivers a two-part attack to the victim’s machine. The attack combines Avaddon with Racoon Stealer that can perform the data exfiltration portion of the campaign.
Figure 2: Phishing email with an embedded link leading to a sample of Smoke Loader.
Data Exfiltration Increases Pressure, Adds Risk
The exfiltration of sensitive data can be damaging to an organization and levy heavy legal, financial and reputational consequences, which is why threat actors use it to leverage extortion payment. In this instance, Raccoon Stealer provided the data theft and exfiltration feature that was not inherent in the Avaddon ransomware. Considering that Avaddon is a RaaS, it would be consistent for it to employ a malware as a service (MaaS), Raccoon Stealer, to add features. Using a MaaS sample as the data exfiltration component also allows the threat actors to plug-and-play with other MaaS families as needed. Combining these two services with a successful delivery mechanism such as Smoke Loader creates an attack that is both more lucrative for threat actors and more harmful to victims.
With these most recent developments, Avaddon has joined a few other ransomware families in adding data exfiltration to use as leverage for extortion payments. The campaign shown in Figure 2 continued the trend of broad targeting—it was sent to a wide range of industries including energy, healthcare, insurance, manufacturing, mining and retail. As Avaddon sees increasing success from these efforts, we can expect more ransomware operators to follow suit.
Diligent backups will no longer suffice to save an organization from a ransomware incident if sensitive or confidential data has been exfiltrated. Not only can the organization be reputationally damaged by a data leak but, depending on the laws and regulations surrounding the data, may be subject to fines and penalties. Data owners or regulators can potentially hold the organization liable and pursue legal recourse, exacerbating the cost of the ransomware incident.
In conclusion, we predict that the most dangerous part of ransomware to organizations soon will be data exfiltration.
Not a Cofense Intelligence customer? Learn how our phishing alerts help mitigate today’s dynamic threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.