[Virus/malware activity reported: Avaddon(3) ransomware]

An infringement incident presumed to be a form of Avaddon(3) ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

Avaddon(3) ransomware

The ransomware is called Avaddon(3) and has an encrypted name. It appears that all files are being changed with the extension CBbdcAAcEa.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Windows error recovery notification window and recovery mode

  Considering that exceptions may occur while ransomware is running in the background, stop the error recovery notification window output function and disable Windows recovery mode.

  
  [Figure 3 Windows error recovery notification window and recovery mode]

• UAC permission settings

  To ensure smooth operation, disable UAC so that the permission request notification window does not appear. Additionally, make sure UAC is disabled.

  
  [Figure 4 UAC permission settings]

  
  [Figure 5 UAC permission settings]

• Deleting shadow copies

  After encryption, shadow copies are deleted to make it difficult for users to recover files.

  
  [Figure 6 Deleting shadow copies]

Infection results

The information file is created in each folder with the name private key_readme_.txt, and when encryption is performed, <encrypted name. The files are changed to CBbdcAAcEa>.

[Figure 7 Infection result 1]

[Figure 8 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

[Figure 10 Block message]

[Figure 11 Block message]

Watch Avaddon(3) blocking video