Publication: Avaddon ransomware: An in-depth analysis and decryption of infected systems
| carlosiii.embargo.terms | 2023-10-01 | |
| dc.affiliation.dpto | UC3M. Departamento de Informática | es |
| dc.affiliation.grupoinv | UC3M. Grupo de Investigación: COSEC (Computer SECurity Lab) | es |
| dc.contributor.author | Yuste, Javier | |
| dc.contributor.author | Pastrana Portillo, Sergio | |
| dc.contributor.funder | Comunidad de Madrid | es |
| dc.contributor.funder | Ministerio de Ciencia, Innovación y Universidades (España) | es |
| dc.date.accessioned | 2022-01-11T12:57:40Z | |
| dc.date.available | 2023-10-01T23:00:05Z | |
| dc.date.issued | 2021-10 | |
| dc.description.abstract | Malware is an emerging and popular threat flourishing in the underground economy. The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial benefits at a low risk and with little technical background. One such popular product is ransomware, which is a popular type of malware traded in the underground economy. In ransomware attacks, data from infected systems is held hostage (encrypted) until a ransom is paid to the criminals. In addition, a recent blackmailing strategy adopted by criminals is to leak data online from the infected systems if the ransom is not paid before a given time, producing further economic and reputational damage. In this work, we perform an in-depth analysis of Avaddon, a ransomware offered in the underground economy as an affiliate program business. This threat has been linked to various cyberattacks and has infected and leaked data from at least 62 organizations. Additionally, it also runs Distributed Denial-of-Service (DDoS) attacks against victims that do not pay the ransom. We first provide an analysis of the criminal business model in the underground economy. Then, we identify and describe its technical capabilities, dissecting details of its inner structure. As a result, we provide tools to assist analysis, decrypting and labeling obfuscated strings observed in the ransomware binary. Additionally, we provide empirical evidence of links between this variant and a previous family, suggesting that the same group was behind the development and, possibly, the operation of both campaigns. Finally, we develop a procedure to recover files encrypted by Avaddon. We successfully tested the proposed procedure against different versions of Avaddon. The proposed method is released as an open-source tool so it can be incorporated in existing Antivirus engines and extended to decrypt other ransomware families that implement a similar encryption approach. | en |
| dc.description.sponsorship | We thank the anonymous reviewers for their valuable comments. This work was supported by the Spanish grants ODIO (PID2019-111429RB-C21 and PID2019-111429RB), the Ministerio de Ciencia, Innovación y Universidades (Ref. PGC2018-095322-B-C22) and by the Region of Madrid grants CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and Excellence Program EPUC3M17. The opinions, findings, and conclusions or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders. | en |
| dc.format.extent | 20 | |
| dc.identifier.bibliographicCitation | Yuste, J. & Pastrana, S. (2021). Avaddon ransomware: An in-depth analysis and decryption of infected systems. Computers & Security, 109, 102388. | en |
| dc.identifier.doi | https://doi.org/10.1016/j.cose.2021.102388 | |
| dc.identifier.issn | 0167-4048 | |
| dc.identifier.publicationfirstpage | 1 | |
| dc.identifier.publicationissue | 102388 | |
| dc.identifier.publicationlastpage | 20 | |
| dc.identifier.publicationtitle | Computers & Security | en |
| dc.identifier.publicationvolume | 109 | |
| dc.identifier.uri | https://hdl.handle.net/10016/33861 | |
| dc.identifier.uxxi | AR/0000028977 | |
| dc.language.iso | eng | en |
| dc.publisher | Elsevier | en |
| dc.relation.projectID | Gobierno de España. PID2019-111429RB-C21 | es |
| dc.relation.projectID | Gobierno de España. PID2019-111429RB | es |
| dc.relation.projectID | Gobierno de España. PGC2018-095322-B-C22 | es |
| dc.relation.projectID | Comunidad de Madrid. P2018/TCS-4566 | es |
| dc.rights | © 2021 Elsevier Ltd. All rights reserved. | en |
| dc.rights | Atribución-NoComercial-SinDerivadas 3.0 España | * |
| dc.rights.accessRights | open access | en |
| dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/3.0/es/ | * |
| dc.subject.eciencia | Informática | es |
| dc.subject.other | Avaddon | en |
| dc.subject.other | Ransomware | en |
| dc.subject.other | Malware analysis | en |
| dc.subject.other | Reverse engineering | en |
| dc.subject.other | Cybersecurity | en |
| dc.title | Avaddon ransomware: An in-depth analysis and decryption of infected systems | en |
| dc.type | research article | * |
| dc.type.hasVersion | AM | * |
| dspace.entity.type | Publication |
Files
Original bundle
1 - 1 of 1