U.S. Industries Impacted by New Russian Ransomware Attack

The Federal Bureau of Investigation (FBI) recently issued an alert which details how unidentified, Russian-speaking cyber actors used Avaddon ransomware to attack the U.S. and foreign private sector companies, manufacturing organizations, and healthcare agencies.

Distributed through malspam campaigns victims are lured by email phishing scams to download the malware. Once installed, Avaddon ransomware actors compromise victims using remote access login credentials and they map the network and identify backups for deletion and/or encryption. The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system, and verifies the victim is not located in Russia or other former Soviet Union countries. Avaddon ransomware actors maintain a website used to publishexfiltrated data from victim networksif the ransom demand is not satisfied.Due to the potential of harvesting proprietary and/or government-related data, the exfiltration is acounterintelligence (CI) threat.

The Avaddon attackers leveraged the following applications to compromise victims to aid in system explorations:

· PowerShell

· WMIC.exe (WMI -WindowsManagement Instrumentation)

· Svchost.exe (Service host system process)

· Taskhost.exe (Host protocol)

If your organization was impacted by the attack, the FBI does not recommend issuing ransom payments to the criminal actors. Paying a ransom does not guarantee the recovery of the compromised files and doing so may also encourage future attacks on additional entities, increase the distribution of more ransomware as well as fund other illicit activities.

When faced with attacks and the inability to function, the FBI encourages companies to evaluate all available options to protect stakeholders and to report incidents to the FBI to provide information that helps investigators to track ransomware attackers and prevent future attacks. Companies should also follow established internal procedures if they suspect any malicious activity and promptly report the incident per existing policies, regulations, and agreements.

The reporting the incident, the FBI recommends the following mitigations:

· Back-up critical data offline;

· Ensure copies of critical data are in the cloud or on an externalhard drive or storage device;

· Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides;

· Use two-factor authentication with strong passwords, including for remoteaccess services;

· Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable;

· Regularly change passwordsto critical systems;

· Keep computers, devices,and applications patchedand up-to-date and

· Install and regularlyupdate antivirus or anti-malware software on all hosts.

If your company suspects it has been a victim of the Avaddon attack and needs additional support, Key Cyber Solutions can help to evaluate the impact and make recommendations to quickly resume normal business operations. For more information contact us or visit www.keycybersolutions.com.