Avaddon, a new ransomware-as-a-service, or RaaS, protocol, is the latest to jump on the crypto extortion bandwagon. Similar to ransomware from groups like Maze and REvil, the Avaddon project offers revenue-sharing for users who successfully deploy the software on unsuspecting victims.
According to research by the cyber intelligence firm, DomainTools, RaaS development allows hackers to focus their efforts on malware development, rather than finding new places to deploy their attacks. Developers instead rely on third-party individuals who are looking to generate income by launching their own ransomware campaigns.
Speaking with Cointelegraph, Tarik Saleh, senior security engineer and malware researcher at DomainTools, commented on the affiliate scheme used within the ransomware:
“Malware authors are looking to make profits with as low of a risk as possible and the RaaS / affiliate model does just that. Cybercriminals follow tactics and techniques of other successful threat actors, so we can expect the rise of RaaS and affiliate model programs to continue.”
Saleh explains that as of today, there are no publicly available decryptors for Avaddon, aside from the ones provided to victims once the malware’s ransom is paid.
While Bitcoin is the preferred method of payment for this particular ransomware, Saleh has witnessed a change in that trend in recent months. Citing the recent Twitter hack, he noted that, “We are seeing a shift towards Monero, however, as Bitcoin doesn’t offer the [same] privacy protections and anonymity.”
Saleh believes that the ransomware’s developers are Russian due to the fact that they only sell to Russian language speaking customers on Russian marketplaces.
Russia’s government has “largely turned a blind eye towards taking down cybercriminals that don’t involve Russian assets.” This unspoken arrangement seemingly allows Russian ransomware authors to operate with a very low risk of punishment, Saleh added.