Credential Theft
- Mimikatz
- SharpDump
Avaddon is a Windows ransomware family and ransomware operation active in large-scale criminal campaigns from at least 2020 through 2021.
Profile source: Mallory opens in a new tabAvaddon
Avaddon is a Windows ransomware family and ransomware operation active in large-scale criminal campaigns from at least 2020 through 2021. It became especially notable for high-volume email distribution activity and later for intrusions that increasingly relied on remote access services such as RDP and VPN infrastructure rather than direct email delivery. Avaddon has also been linked to use of criminal anonymity infrastructure such as First VPN Service for reconnaissance and intrusion support.
Avaddon is associated with common big-game ransomware tradecraft. It performs locale and keyboard-layout checks to avoid infecting systems associated with Commonwealth of Independent States countries, a pattern frequently seen in Russian-speaking cybercrime ecosystems. On compromised Windows systems it modifies the registry for persistence and user account control bypass, attempts to identify and stop anti-malware products, and uses native administrative tooling to impair recovery by deleting backups and shadow copies, including via WMIC. Execution has been observed through a malicious JScript downloader, and historical reporting also ties Avaddon to major malspam campaigns.
The malware targets Windows environments and is relevant across enterprise victims, with reporting connecting the broader operation to attacks affecting businesses and other organizations. Avaddon is widely recognized as a ransomware family, and later ransomware activity such as NoEscape has been assessed by some researchers as a likely rebranding or descendant of Avaddon.
Ransomware.live
Reported operators
"June 1, 2020 RIDDLE SPIDER's Avaddon"
MITRE ATT&CK
Reporting
authorities said the service, whose administrator was based in Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions.
в ФБР сообщали, что инфраструктура First VPN применялась не менее чем 25 вымогательскими группировками, включая Avaddon
It was used in attacks linked back to at least 25 types of ransomware, such as the Avaddon ransomware.
The U.S. Federal Bureau of Investigation in its Flash Alert confirmed the service to be active since at least 2014 and provided exit node servers in 27 countries. It also concurred that an upwards of 25 ransomware groups, including Avaddon Ransomware, used First VPN Service infrastructure to perform network reconnaissance and intrusions.
Emerging in June 2020, the Avaddon ransomware operation rapidly established itself as a significant threat within the cybercrime ecosystem through a highly organized Ransomware-as-a-Service (RaaS) model. The campaign was characterized by its use of double extortion tactics, where victims faced not only the encryption of critical data but also the threat of having sensitive information published on a dedicated leak site if ransom demands were not met. The development and overall management of this RaaS enterprise are attributed to the threat actor tracked as Riddle Spider.
Avaddon deletes backups and shadow copies using native system tools.
The operators claim to have developed the ransomware and the infrastructure from scratch, though it is believed that their ransomware is a rebranding of the Avaddon ransomware.
Earlier builds of AVADDON ransomware had a User Access Control (UAC) bypass module to abuse CMSTPLUA COM interface... AVADDON Encryption Evolution...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.