Avanzi Ransomware

In the course of examining potentially threatening software, cybersecurity researchers have identified a ransomware variant referred to as Avanzi. Once successfully infiltrating a computer, Avanzi executes a series of harmful actions, including encrypting files, modifying their filenames, displaying a ransom note to victims and generating an additional note within the 'info.txt' file.

Upon infection, Avanzi appends specific elements to filenames, namely the victim's ID, the email address 'avanziahelp@cock.li,' and the '.avan' extension. For instance, it transforms a file like '1.png' into '1.png.id-9ECFA74E.[avanziahelp@cock.li].avan' and '2.pdf' into '2.png.id-9ECFA74E.[avanziahelp@cock.li].avan,' and so on. An important aspect to note about the Avanzi Ransomware is its association with the infamous Dharma family of malware threats.

The Avanzi Ransomware Could Cause Serious Damage to Compromised Devices

The ransom note issued by the Avanzi Ransomware begins with an announcement informing victims that all their files have undergone encryption but assuring them of the possibility of recovery. Victims are directed to establish contact with the attackers within a strict 12-hour timeframe via the specified email address (avanziahelp@cock.li), with an alternative email (avanzirest@tuta.io) provided for instances of delayed response.

To exhibit a semblance of goodwill, the note promises free decryption for up to three files, outlining specific conditions for eligibility. Furthermore, victims are provided with guidance on acquiring Bitcoins, the preferred method of ransom payment. The note explicitly warns against certain actions, such as file renaming or attempts at third-party decryption, to prevent permanent data loss or susceptibility to tactics.

Noteworthy is Avanzi's strategy of compromising the targeted system's primary defense mechanism by disabling the firewall. Moreover, it eliminates Shadow Volume Copies, thereby closing potential avenues for data recovery. The ransomware takes advantage of vulnerabilities in Remote Desktop Protocol (RDP) services to facilitate unauthorized access.

Avanzi employs brute force and dictionary attacks to exploit weak account credentials, primarily on systems utilizing RDP services. The malware's persistence on the infected system raises significant concerns. In addition to encrypting and compromising the system, Avanzi gathers location data and can selectively exclude predefined locations, thereby extending its impact and duration.

How to Protect Your Devices from Ransomware Threats?

Protecting devices from ransomware threats involves adopting a multi-layered approach to enhance overall cybersecurity. Here are some key practices and recommendations:

• Keep Software Updated: Regularly update operating systems, security software and applications. Software updates often include security patches that address vulnerabilities exploited by ransomware.
•  Install Reliable Anti-Malware Software: Utilize reputable security software to provide real-time protection against various threats, including ransomware. Ensure that the software is set to update and conduct regular scans automatically.
•  Backup Important Data: Regularly back up critical data to an external hard drive or a secure cloud service. This ensures that even if your device is compromised, you can restore your files without succumbing to ransom demands.
•  Use Strong and Unique Passwords: Implement strong, unique passwords for all accounts and devices. Avoid using easily guessable passwords and consider using a password manager to keep track of complex credentials.
•  Exercise Caution with Email Attachments and Links: Be wary of unexpected emails, especially those containing attachments or links. Avoid opening attachments or clicking on links from unknown or suspicious sources, as they may contain ransomware or other malware.
•  Educate Yourself and Users: Stay informed about the latest cybersecurity threats and educate yourself and other users about the risks of clicking on unknown links, downloading suspicious files, or visiting untrustworthy websites.

By adopting these practices, users can significantly reduce the risk of falling victim to ransomware and enhance the overall security posture of their devices.

The full text of the ransom note generated by the Avanzi Ransomware on breached devices is:

'Avanzi

All your files have been encrypted!

Don’t worry, you can return all your files!
If you want to restore them, write to the mail: avanziahelp@cock.li YOUR ID:
If you have not answered by mail within 12 hours, write to us by another mail: avanzirest@tuta.io

Free decryption as guarantee
Before paying you can send us up to 3 file for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The text file dropped by Avanzi Ransomware contains the following message:

all your data has been locked us

You want to return?

write email avanziahelp@cock.li or avanzirest@tuta.io'