Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family Avaddon
Ransom:Win32/Avaddon.P!MSR is a concrete detection for the Avaddon ransomware, a critical threat that encrypts a victim's files and demands a ransom for their decryption. It typically drops a ransom note (e.g., read_me_lock.txt) instructing users to use the Tor browser to access .onion sites for payment, and attempts to delete shadow copies to hinder recovery.
Relevant strings associated with this threat: - /Your network has been infected by <span>Avaddon (PEHSTR) - have been <b>encrypted (PEHSTR) - Avaddon General Decryptor (PEHSTR) - 1\BIN\%s.exe (PEHSTR) - \XMedCon\bin\medcon.exe (PEHSTR) - P?% (SNID) - your files have been encrypted (PEHSTR) - .onion (PEHSTR) - read_me_lock.txt (PEHSTR)
rule Ransom_Win32_Avaddon_P_2147783567_0
{
meta:
author = "threatcheck.sh"
detection_name = "Ransom:Win32/Avaddon.P!MSR"
threat_id = "2147783567"
type = "Ransom"
platform = "Win32: Windows 32-bit platform"
family = "Avaddon"
severity = "Critical"
info = "MSR: Microsoft Security Response"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "4"
strings_accuracy = "High"
strings:
$x_2_1 = "your files have been encrypted" ascii //weight: 2
$x_1_2 = ".onion" ascii //weight: 1
$x_1_3 = "Tor browser" ascii //weight: 1
$x_2_4 = "read_me_lock.txt" ascii //weight: 2
$x_1_5 = "C:\\Users\\lock.txt" wide //weight: 1
$x_1_6 = "Win32_ShadowCopy.ID='%s'" wide //weight: 1
condition:
(filesize < 20MB) and
(
((4 of ($x_1_*))) or
((1 of ($x_2_*) and 2 of ($x_1_*))) or
((2 of ($x_2_*))) or
(all of ($x*))
)
}12bba7161d07efcb1b14d30054901ac9ffe5202972437b0c47c88d71e45c7176Immediately isolate affected systems to prevent further spread. Use an updated antivirus solution to remove the ransomware. Restore encrypted files from secure, offline backups. Implement robust security hygiene, including regular patching, strong endpoint protection, and network segmentation, to prevent future infections.