Avanzi Ransomware Expects Payment in Bitcoin
During the examination of new malware samples, we identified a ransomware variant named Avanzi, associated with the Dharma family. Once it infiltrates a computer successfully, Avanzi encrypts files, modifies filenames, displays a ransom note, and generates an additional note in the "info.txt" file.
Avanzi adds the victim's ID, avanziahelp@cock.li email address, and the ".avan" extension to filenames. For instance, it transforms "1.jpg" into "1.jpg.id-9ECFA84E.[avanziahelp@cock.li].avan," "2.png" into "2.png.id-9ECFA84E.[avanziahelp@cock.li].avan," and so on.
The ransom note issued by the Avanzi ransomware starts with a declaration that all files have been encrypted, followed by an assurance that recovery is possible. Victims are told to contact the attackers via email (avanziahelp@cock.li) within a 12-hour window, with an alternative email (avanzirest@tuta.io) provided in case of delayed response.
The note extends a goodwill gesture, offering free decryption for up to three files, emphasizing specific conditions for eligibility. Additionally, victims receive guidance on acquiring Bitcoins, the preferred ransom payment, and are cautioned against certain actions, such as renaming files or attempting third-party decryption, to prevent permanent data loss or falling prey to scams.
Avanzi Ransom Note Keeps it Brief
The full text of the "info.txt" file generated by Avanzi reads as follows:
all your data has been locked us
You want to return?
write email avanziahelp@cock.li or avanzirest@tuta.io
The longer text inside the pop-up window also never mentions an exact ransom amount, only instructions on how to obtain Bitcoin. The text inside the pop-up window goes as follows:
Avanzi
All your files have been encrypted!
Don’t worry, you can return all your files!
If you want to restore them, write to the mail: avanziahelp@cock.li YOUR ID:
If you have not answered by mail within 12 hours, write to us by another mail: avanzirest@tuta.ioFree decryption as guarantee
Before paying you can send us up to 3 file for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How Can You Protect Your Files from Ransomware Similar to Avanzi?
Protecting your files from ransomware threats, such as Avanzi, involves implementing a combination of proactive measures to prevent infections and having a robust recovery plan in case an attack occurs. Here are some recommendations:
Regular Backups:
Regularly back up your important files to an external device or a secure cloud service.
Ensure the backup process is automated and frequent, so you always have up-to-date copies of your data.
Offline Backups:
Keep at least one set of backups offline or disconnected from your network to prevent ransomware from reaching and encrypting them.
Security Software:
Use reputable antivirus and anti-malware software to detect and block ransomware threats.
Keep your security software, operating system, and applications up to date with the latest patches and updates.
Email and Web Filtering:
Implement email filtering solutions to identify and block phishing emails that may carry ransomware.
Use web filtering tools to block access to malicious websites that may distribute ransomware.
Application Whitelisting:
Use application whitelisting to allow only approved programs to run on your system, preventing unauthorized applications, including ransomware, from executing.
