Avaddon ransomware operators are now using DDoS attacks as a negotiation tactic to force victims into paying. This type of attack tactic called Ransom DDoS (or RDDoS) is already in use by some ransomware operators, including SunCrypt and RagnarLocker. This tactic is useful for ransomware operators when a victim does not contact them after the attack.
In this tactic, after encrypting the files on the victim’s network, attackers usually flood their website or a network connection with large requests, to put additional pressure for paying the ransom.
- The operators posted a message on the victim’s website claiming that they will continue the DDoS attack until they make contact or pay the ransom.
- After infection, the ransomware encrypts a wide range of file types, including images, videos, spreadsheets, documents, audio files, videos, databases, and archives.
- In addition, Avaddon encrypts important data and renames the infected file with the .avdn extension. For example, a file named one.jpg will be renamed as one.jpg.avdn.
- The ransomware can spread via various infection vectors, such as corrupted advertisements, spam emails, fake social media posts/pages, or fraudulent software updates.
Recent RDDoS attack
- Recently, security firm Radware found that a DDoS campaign targeted victims twice after they failed to pay the initial ransom.
- A major Fortune Global 500 organization was targeted by the Lazarus Group in late 2020.
The RDDoS tactic is very effective for cybercriminals, as it puts pressure on the organization to pay the ransom quickly. Thus, experts suggest taking a proactive approach and taking backup of important data, using strong passwords, updating every network device, and providing training to employees on identifying phishing emails.