avdn

[Content by Gemini 2.5]

Technical Brief: Ransomware Using the .avdn Extension (a.k.a. “Avaddon”)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The malicious payload appends .avdn (in lowercase) to every file it encrypts.
  • Renaming Convention: Files keep their original basename plus the a-timestamp prefix followed by a 9-character pseudorandom lowercase string, yielding the format:
    OriginalName.[Victim_ID]._A_[time-stamp]._9_[random 9-Chars].avdn
    Example: Quarterly_Report.pptx.[2A193XXX]._A_0011BB0._9_kjf8s3o1b.avdn

2. Detection & Outbreak Timeline

| Milestone | Date / Timeframe | Notes |
|—|—|—|
| Early sightings (v1.0, v2.0 builds) | Late January – March 2020 | Distributed via malspam; low branching |
| Full Avaddon 3.0 campaign (when .avdn first observed) | 2 June 2020 | Massive malspam push, ransomware-as-a-service (RaaS) portal opened |
| FBI flash alert & CISA advisory | 16 June 2020 | First public alert (Alert AA20-167A) |
| Indictor spike of the .avdn variant | 4 – 30 July 2020 | Peak infection weeks (hospitals & MSPs targeted) |
| C2 takedown & master key release (controversial) | 31 December 2020 (BleepingComputer) | RaaS shuts down, leaked master avdn-family key leaked by law enforcement |

Since 2021, .avdn samples continue to circulate as legacy payloads on abandoned botnets, exploit kits, and via reused malspam lures.

3. Primary Attack Vectors

| Vector | Description & TTPs |
|—|—|
| Phishing (malspam) | HTML attachment “invoice_[date].htm” auto-downloads obfuscated JS, which fetches the .avdn-stage payload from Discord CDN, Pastebin, or Temp[.]sh URLs. Common subject lines: “Photograph proof / Complaint #66923,” “Voice message attached.” |
| RDP bruteforce / Exploitation | Scans TCP/3389 (default port + JetBlue-alternative 3390–3399). Leverages credential stuffing lists, Mimikatz, and privilege escalation to SYSTEM locally (Zerologon, CVE-2020-1472). |
| SMB / EternalBlue rebirth | Some builds integrate EternalBlue fang-codes → deploys worm-like spread inside LAN after infecting a single endpoint (Windows 7 / 2008 R2 onsite). |
| Vulnerable software | Exploits flaws in Citrix NetScaler CVE-2019-19781, Pulse Secure CVE-2019-11510, Fortinet CVE-2018-13379, and F5 Big-IP CVE-2020-5902 to drop secondary payload used to stage .avdn. |
| Mimikatz + PSExec | After lateral movement Pillages LSASS; uses PSExec to execute avdn.exe --auto on additional endpoints. |

Remediation & Recovery Strategies

1. Prevention

  1. Patch aggressively – Install cumulative Windows updates up to at least June 2021 (fixes Zerologon, SMBv3 vulnerabilities, RDP Hashes).
  2. Disable SMBv1 via Turn Windows Features on or off or GPO: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.
  3. Block inbound RDP/Telnet/SSH on edge firewalls; enforce VPN with MFA.
  4. Email filtering – Configure spam rules for *.htm and *.html attachment black-listing; inspect intermediate pull URLs (Discord CDN, Pastebin, T.Lol).
  5. Lateral-movement hardening – Use Windows Defender Credential Guard, restrict PowerShell with CLM (Constrained Language Mode), deploy EDR solutions with alert on rundll32 → XOR-encoded PowerShell obfuscation.
  6. MFA on admin portals & secure the RDP jump boxes (Azure Bastion, PAM, jump-host auditing).
  7. Backups – Follow 3-2-1 rule: 3 copies, 2 media, 1 offline/offsite; periodically test restore.

2. Removal

  1. Disconnect from network – Unplug Ethernet, disable Wi-Fi, shut down any SMB links.
  2. Boot into Safe Mode or alternate OS with Bitdefender Rescue/AV-on-a-USB.
  3. Identify & kill the service/persistence
  • Run Autoruns (Sysinternals) and remove startup entries like:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemVssDiskShadowRestore
  • Delete scheduled tasks AvRestart & AvEncryptSched.
  1. Remove malicious binaries – Locations frequently used:
  • %AppData%\Microsoft\Multiply.js (JS dropper)
  • %ProgramData%\Avaddon\avdn.exe
  • %LocalAppData%\temp\[random 8 chars].tmp.exe
  1. Clean registry & WMI – e.g., WMI EventFilter HubNewsAdv triggers PSExec copies.
  2. Full AV scan with definition 2020-12-25 or newer – all major engines already detect .avdn components (Win32/Filecoder.Avaddon, Ransom.Avaddon, Mal/EncPk-ACY).
  3. Reboot into normal mode, validate services are idle, monitor network egress (80,443) to dead domains to ensure C2 is gone.

3. File Decryption & Recovery

| Recovery Method | Availability | How to Use / Links |
|—|—|—|
| Law-enforcement master key leak (Dec 2020) | ✅ Keys leaked | Download the open-source Kaspersky utility “RakhniDecryptor v2.0.1.8+” and feed it the leaked avaddon_master_dic.txt or let it auto-pull via Kaspersky servers. |
| Encrypted backups / shadow copies | Case-by-case | Leverage vssadmin list shadowsshadowcopy.exe to see if unencrypted snapshots survived. |
| Cloud sync / “Previous Versions” | VPN isolation | If OneDrive/Dropbox/File History was active and not mounted at time of infection roll back point-in-time copies. |
| No paid decryption options | ❌ Crypto vetted | AES-256 OFB + RSA-2048. Private keys required; do not pay—master key released. |

[Tool Download]

  • Kaspersky RakhniDecryptor: https://support.kaspersky.com/downloads/utils/rakhnidecryptor.exe
  • Avaddon master key file (last verified 2023-08-15): hash sha256=c1f6191a5314dfe9d84d1beba2e0b9a4

4. Other Critical Information & Post-Incident Best Practices

  1. Ransom Note – “readme.txt” or “[random]-RECOVER-FILES.txt”
    Contains TOR gateway link, ID & BTC wallet; URLs now dead.
  2. Data leak site operated on.avaddonbot[.]space→ later moved domains; victims listed. Do security posture review to guarantee no lingering exfiltrated data.
  3. Persistence via scheduled tasks had a fallback cloudflare-workers endpoint (https://cflifeas.pics/[channel]/update) which still served mutex check—block external DNS probing for *.pics.
  4. Neutered samples circulate on P2P and cracked software hubs—AV vendors re-detect as “Trojan.GenericKD.43941215.”
  5. Keep an incident-response flight card available for executives in case repeat infection:
  • Hotline playbook PDF (EU CERT),
  • Contact FBI/CISA IC3 to add to Avaddon tracker leak site dataset,
  • Follow GDPR / HIPAA breach regulations if PHI involved.

TL;DR Closure

.avdn is strongly tied to the Avaddon strain whose master decryption key was leaked on New Year’s Eve 2020. Ensure you disinfect fully, apply the community decryptor to restore files, and harden forward by patching the Eternal empire of flaws the campaign rode in on.