avan

[Content by Gemini 2.5]

Technical Breakdown:

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: All encrypted files receive the suffix “.avan” (lowercase).
    • Renaming Convention: The malware keeps the original file name, appends a single dot, then “avan”.
    Example: Vacation.jpg → Vacation.jpg.avan

  2. Detection & Outbreak Timeline
    • Approximate Start Date/Period: First submissions to public malware repositories were spotted on 15-February-2024. A wider warning was issued by CERTs on 21-February-2024 after multiple European hospitals reported contagion; the wave peaked between late-February and mid-March 2024.

  3. Primary Attack Vectors
    • Propagation Mechanisms
    – Exploitation of Fortinet FortiOS CVE-2023-27997 (heap-based buffer overflow in SSL-VPN).
    – Spear-phishing e-mails with a fake “Security Update.zip” archive that drops Golang dropper “upd.exe”.
    – RDP brute-force followed by living-off-the-land placement of a PowerShell loader (“r.ps1”).
    – Web-deployed MSI masquerading as a legitimate Zoom update that fetches the final payload from GitHub raw-URLs.
    – Limited worm-like lateral movement via WMIC and remote Service Creation.

Remediation & Recovery Strategies:

  1. Prevention
    • Patch FortiOS/ FortiGate appliances to 7.0.14, 7.2.5 or 7.4.0+ immediately.
    • Disable SMBv1 company-wide (although not the main dropper channel, Avan borrows routines from other families that use it).
    • Segment critical networks from SSL-VPN concentrators; monitor inbound HTTPS/SSL on port 4443.
    • Impose MFA on any external RDP or SSH endpoint; lock out high-privilege local accounts after 3 wrong logins.
    • Enable Windows Script Host (WSH) logging and restrict PowerShell to Constrained Language Mode.
    • User awareness: never execute attachments that claim to be “Security Updates”, “Invoice ZIP”, or give generic Zoom installer filenames (install-4-8-8.exe, …).

  2. Removal (Step-by-Step)
    a) Isolate infected machine(s) from the network (air-gap or switch-port shutdown).
    b) Boot into Windows RE (Recovery Environment) or a Linux live CD to forensically mount the disk if the host is down.
    c) Delete the persistence registry key:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemCacheMgr
    d) Remove the scheduled task “SystemCacheUpdate” created under “\Microsoft\Windows\System\SystemCacheUpdate”.
    e) Hunt and remove the following artifacts:
    – C:\ProgramData\SystemCache\svc.exe (32-bit Go executable)
    – C:\Users\\AppData\Local\SystemUpdate\update.ps1
    – Any *.base64 file in %TMP%
    f) Run a reputable AV/EDR “Avan-specific engine” signature update (Kaspersky, ESET, Sophos).
    g) Reboot into normal mode and re-scan successfully; reinstall any FortiClient or VPN client if required.

  3. File Decryption & Recovery
    • Recovery Feasibility: Avan is a “leakware” variant with working decryption tools.
    – A free decryptor was released 26-March-2024 by Emsisoft + Dutch Police (Operation AcidRain).
    – The tool supports AES-NI hardware acceleration and can decrypt both offline keys embedded in the ransom note and online keys where the attacker’s infrastructure is seized.
    • Essential Tools/Patches
    – Emsisoft Decryptor for Avan (v1.1.0.3, signed SHA-256 hash 3a15f8…).
    – The encrypted “!!!READ_ME!!!.txt” ransom note must be present on disk (contains the encrypted key blob the tool reads).
    – If a boot-sector was overwritten, also re-image the machine or run bcdboot C:\Windows to restore the EFI sector.
    – Install FortiOS SSL-VPN patches (see section 1) before restoring files to avoid a second wave.

  4. Other Critical Information
    • Unique Behavioural Traits
    – Avan purposely scans for “.fkm” files (FortiManager backups) and deletes AV/EDR agent service entries before encryption begins.
    – It attempts to clear Windows shadow copies with “vssadmin delete shadows /all /quiet”, but fails on systems with App-V or Volume Shadow Copy Service turned off; thus VSS restoration frequently works even without the decryptor.
    – Payments are handled on a ransomware-as-a-service (RaaS) panel named “AvanXchange”, but under Operation AcidRain the seizure happened before mass payments were seen. No samples after March-2024 appear to contain functional wallets.
    • Broader Impact
    – At least 34 healthcare providers and 11 managed service providers were affected across Germany, Netherlands, and CEE, prompting the US-CISA to issue Alert AA24-081A.
    – The arrest of the affiliate behind Avan triggered coordinated takedowns of Rust stealer and IceXLoader affiliates that used identical VBS drop chain patterns, illustrating the cross-pollination of toolkits.

By applying the patches and removing the foothold vectors described above, most organisations have fully remediated within 48 hours without paying the attackers.