Published on June 24, 2021

Understanding the Avaddon Ransomware: Is your organization equipped to stop zero-day threats?

Recently, The Financial Times reported that Asian subsidiaries of a French Global insurance company were hit by a latest ransomware attack known as Avaddon. Attackers seized 3TB of data, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines, taking hold of sensitive information like medical records and hospital data.

What is Avaddon ransomware and how does it work? 

Avaddon first uses phishing emails to infect victims’ endpoints before making its way through the network, encrypting files and exfiltrating valuable data. What is particularly interesting about this ransomware is the method it utilises to delete backups – not only does the ransomware remove shadow copies of the user’s files, it also deletes system backups, disables automatic repair and recovery, and clears the bin. Attackers have also made use of a double extortion method post-hit by threatening to leak victims’ data publicly if payment was not received.

Online threat analysis repository VirusTotal noted that the first submission of Avaddon was recorded in June 2020, yet we do see the ransomware claiming its latest victim (publicly) even as presently as May 2021. Even as the threat becomes more mainstream over time, it is hard to imagine that any Endpoint Protection/Antivirus vendor would have all the threat signatures necessary to safeguard against all threats simply via a signature-based approach.

VirusTotal: Avaddon Ransomware sample from 24/Jun/20.

Modern problems require modern solutions

What organizations need is a behavioural solution to detect and stop zero-day and unknown threats. In the modern threat landscape, it is crucial for users to adopt cyber technologies that can detect and block sophisticated and unknown threats – ranging from ransomware to fileless and in-memory attacks. These solutions should also provide proactive threat hunting capabilities to enable the discovery of hidden threats within one’s infrastructure. With traditional protection methods, visibility is poor, and chances of compromise are heightened.

By leveraging unprecedented levels of automation using AI and ML, ReaQta autonomously detects the ransomware’s behaviour and actively mitigates threats as they unfold.

ReaQta-Hive’s Behavioural Tree showing the Avaddon ransomware.

Within seconds of an infection, ReaQta-Hive captures and presents pertinent breach information in a quick and concise manner. At a glance, analysts are able to quickly identify associated malicious behaviours and techniques applied by attackers and address the entirety of the infection, including complete remediation and clean-ups.

Attack tactics & techniques detected.

Attack information is also delivered in accordance with the MITRE ATT&CK cyber kill chain to easily allow analysts to understand the current stage of a compromise.

Avaddon is automatically stopped by ReaQta-Hive EDR within seconds.

With ReaQta’s real-time protection capabilities, threats like ransomware are automatically detected and stopped, preventing organisations from becoming the next victim of a ransomware attack. In the case of Avaddon, ReaQta was effective within seconds, effectively mitigating hits that would have otherwise led to costly reputational damages and data exfiltration. Aside from just stopping the threat, ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert, reducing extra actions needed to be taken by the security team.

About ReaQta

ReaQta is Europe’s top-tiered AI Autonomous Detection & Response platform, built by an elite group of cyber security experts and AI/ML researchers with extensive backgrounds in government intelligence operations. Built with advanced automated threat-hunting features, ReaQta allows organizations to eliminate the most advanced endpoint threats in real-time. 

Headquartered in the Netherlands and in Singapore, ReaQta has closed its Series-A funding round and is expanding rapidly as one of the most disruptive, fastest growing endpoint security vendors, particularly in Europe and Asia.

As experts in AI and behavioral analysis, ReaQta’s proprietary dual-AI engines provide organizations across all industries with autonomous, real-time and fully customizable endpoint security, minus the complexity. As a result of unprecedented levels of automation coupled with intuitive design, ReaQta’s customers and partners benefit from performance improvements and are now able to manage and secure more endpoints without the need for highly skilled staff. For more information, visit https://reaqta.com 

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.