New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Avaddon Ransomware Operators Launch New Site

Following in the footsteps of other ransomware operators such as MAZE and REvil (Sodinokibi), the Avaddon ransomware group has launched a new dump website. The website will be utilized by the threat actor to post stolen data from the companies who do not pay the ransom. The purpose of these websites is to scare victims into paying the ransom or face the reputation and regulatory consequences of a public data breach, which can be more problematic for companies. Originally reported by the intelligence firm Kela, the group announced the new site on a Russian hacking forum. Currently, there is only one victim on the website which included 3.5MB of data.

Analyst Notes

Binary Defense intelligence analysts noted the new website when it was announced on a Russian-language forum and added it to the list of threat actor sites that are monitored regularly. The use of dump websites by ransomware threat actors has become common within the past year. The threat to leak the data of a company that does not pay is a scare tactic that appears to be effective enough to entice other threat actors to adopt the same approach. If the victims pay the ransom, the group promises to not release the data, but there is no guarantee that the criminals will keep their word. While they may not release the data publicly, there is nothing to stop the ransomware operators from privately selling the stolen data or using it for other fraud. To avoid these issues, companies should have proper defenses in place to stop ransomware attacks in the early stages and avoid data theft in the first place. Protecting remote access portals by not exposing Remote Desktop Protocol (RDP) to the Internet and educating employees to recognize phishing attacks are important security controls. Multi-Factor Authentication (MFA) for all remote access methods helps to protect accounts even when passwords are stolen. Patching public-facing servers is also very important. Even when threat actors bypass security controls, utilizing a Security Operations Center that monitors for threats 24 hours a day, or a managed security service such as Binary Defense’s Managed Detection and Response (MDR) with the Security Operations Task Force monitoring around the clock, ransomware attacks can be detected early and stop the threat actors from stealing the data from a company.

More information can be found here: