Over the past month there has been a surge in Phorpiex botnet activity. A botnet is a network of computers that have been infected with malware, placing them under the control of the botnet operator. Those computers are then used to send spam and phishing emails, often with the aim of distributing malware and ransomware. There are known to be around 500,000 computers in the Phorpiex botnet globally and the botnet has been in operation for almost 10 years.

The Phorpiex botnet has previously been used for sending sextortion emails, distributing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was used to conduct a massive Avaddon ransomware campaign that saw around 2% of companies targeted around the world.

Ransomware attacks have increased over the past few months, with many ransomware gangs delivering ransomware manually after gaining access to corporate networks by exploiting vulnerabilities in VPNs and other software or taking advantage of insecure default software configurations. There has also been an increase in ransomware attacks using email as the attack vector. Several ransomware variants are now being primarily delivered by email, and Avaddon ransomware was one of the biggest email threats in June. One week in June saw more than 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. companies.

Avaddon ransomware is a new ransomware variant that was first detected in June. The operators of Avaddon ransomware are advertising their malware as ransomware-as-a-service (RaaS) and have been recruiting affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them appear to be JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be named IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Opening the file would launch a PowerShell and Bitsadmin command that would trigger the download and execution of Avaddon ransomware.

More recently, a campaign was detected that distributed Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. In contrast to JavaScript files, which will run when opened by users, Excel macros require user action to run, so they are less effective. That said, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a range of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is supplied to a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor available for Avaddon ransomware. File recovery will only be possible if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Several subject lines have been used in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a 😉 emoji in the body of the email. This tactic is simple, yet effective.

There are several steps that can be taken by businesses to prevent Avaddon and other email-based ransomware attacks. End user security awareness training should raise awareness of the threat and teach employees how to recognize phishing and malspam threats and condition them to report emails to their security team. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always prevent infection.

One of the best defenses against email threats such as phishing, malware and ransomware is to install a powerful anti-spam solution such as SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an additional level of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to block zero-day phishing and malware threats.

For more information on protecting your organization from ransomware and other email threats, give the TitanHQ team a call today.