Recently there has been a rise in Phorpiex botnet activity. A botnet is a group of computers that have been infected with malware, placing them under the management f the botnet operator. Those computers are then used to share spam and phishing emails, often in the hope of distributing malware and ransomware. There are known to be approximately 500,000 devices in the Phorpiex botnet globally and the botnet has been in operation for around 10 years.

The Phorpiex botnet has previously been used for sharing sextortion emails, sharing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was deployed to conduct a huge Avaddon ransomware campaign that resulted in around 2% of companies being targeted globally.

Ransomware attacks have grown in recent times, with many ransomware gangs sharing ransomware manually after obtaining access to corporate networks by exploiting flaws in VPNs and other software or taking advantage of insecure default software configurations. There has also been a rise in ransomware attacks using email as the attack vector. Many ransomware variants are now being primarily shared by email, and Avaddon ransomware was one of the most serious email threats in June. One week in June resulted in over 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. firms.

Avaddon ransomware is a new ransomware variant that was first discovered in June. The operators of Avaddon ransomware are selling their malware as ransomware-as-a-service (RaaS) and have been identifying affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them look like JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be labelled IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Clicking on the file would launch a PowerShell and Bitsadmin command that would trigger the install and execution of Avaddon ransomware.

More recently, a campaign was spotted that shared Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. As opposed to JavaScript files, which will run when opened by users, Excel macros need user action to run, so they are less effective. Even so, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a variety of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is given for a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor on the market for Avaddon ransomware. File recovery can on only be completed if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Many subject lines have been inlcuded in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a 😉 emoji in the body of the email. This tactic is simple, yet effective.

There are many steps that can be taken by companies to stop Avaddon and other email-based ransomware attacks. End user security awareness training should increase awareness of the threat and teach staff how to recognize phishing and malspam threats and condition them to report emails to their security department. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always stop infection.

One of the strongest defenses against email threats such as phishing, malware and ransomware is to download a powerful anti-spam solution like SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an extra tier of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to prevent zero-day phishing and malware threats.

For more details on securing your group from ransomware and other email threats, give the TitanHQ team a call now.