The Avaddon ransomware operators claimed to have breached and leaked stolen data from a concrete formwork construction company involved in water infrastructure projects, including water treatment plants and reservoirs. Through information provided by a trusted third party, WaterISAC is aware that Avaddon is claiming on its darkweb site to have leaked 25% of the data reportedly stolen from EFCO (www[.]efcoforms[.]com). Avaddon is a relatively new ransomware-as-a-service (RaaS) malware and has recently jumped on the data breach bandwagon. Avaddon’s primary method of distribution appears to be spam campaigns. Prior to ransomware adopting the data breach paradigm, partner organizations likely only experienced a service impact while the third party victim recovered from the unfortunate incident. Nowadays, every partner organization carries a risk from a ransomware attack on a third party. Data leaked from third parties could be used in spearphishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Along with securing the supply chain (#13 – WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities), members are encouraged to consider the impact of a ransomware attack on third-party partners when developing/refreshing ransomware response plans. For more details and background on Avaddon visit DomainTools