A newcomer to the Ransomware scene, Avaddon Ransomware has been actively spread in spam campaigns since the beginning of the month, and the attackers behind it continue to recruit affiliates in underground forums. During one of the detected campaigns, cybercriminals sent over 300,000 malicious emails using Phorphiex/Trik Botnet. Currently, Avaddon is aimed more at individual users than at organizations, and time will tell how the evolution of this malware will go. Also, until there are no cases where attackers steal data before encrypting files, as the more advanced groups distributing Maze ransomware, DoppelPaymer, Ragnar Locker, and some others do.
Threat hunting rule submitted by Osman Demir enables security solutions to uncover Avaddon ransomware during its installation and the first steps of the attack: https://tdm.socprime.com/tdm/info/yme41l3RvAMR/glX4wXIBQAH5UgbBnIcH/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Carbon Black, Elastic Endpoint
Techniques: Data Encrypted for Impact (T1486)