Skip to content
Ransomware group Windows

Avaddon

Avaddon is a Windows ransomware family and ransomware operation active in large-scale criminal campaigns from at least 2020 through 2021.

Profile source: Mallory opens in a new tab

Avaddon

Family profile

Avaddon is a Windows ransomware family and ransomware operation active in large-scale criminal campaigns from at least 2020 through 2021. It became especially notable for high-volume email distribution activity and later for intrusions that increasingly relied on remote access services such as RDP and VPN infrastructure rather than direct email delivery. Avaddon has also been linked to use of criminal anonymity infrastructure such as First VPN Service for reconnaissance and intrusion support.

Avaddon is associated with common big-game ransomware tradecraft. It performs locale and keyboard-layout checks to avoid infecting systems associated with Commonwealth of Independent States countries, a pattern frequently seen in Russian-speaking cybercrime ecosystems. On compromised Windows systems it modifies the registry for persistence and user account control bypass, attempts to identify and stop anti-malware products, and uses native administrative tooling to impair recovery by deleting backups and shadow copies, including via WMIC. Execution has been observed through a malicious JScript downloader, and historical reporting also ties Avaddon to major malspam campaigns.

The malware targets Windows environments and is relevant across enterprise victims, with reporting connecting the broader operation to attacks affecting businesses and other organizations. Avaddon is widely recognized as a ransomware family, and later ransomware activity such as NoEscape has been assessed by some researchers as a likely rebranding or descendant of Avaddon.

Capabilities

  • Defense Evasion
  • Persistence
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • SharpDump

Defense Evasion

  • GMER
  • PowerTool
  • TDSSKiller

Discovery Enum

  • SoftPerfect NetScan

Exfiltration

  • Anonfiles
  • MEGA
  • ProtonMail
  • Sendspace

Offsec

  • PowerShell Empire
  • PowerSploit

Reported operators

Threat actors

1 named in public reporting

MITRE ATT&CK

Avaddon in ATT&CK

34 distinct techniques

Reporting

Research mentioning Avaddon

Jul 16
Register Security

Telegram shortlinks knocked offline over sanctioned VPN connection

authorities said the service, whose administrator was based in Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions.

Jul 15
Xakep

Власти США наложили санкции на First VPN из-за связей с вымогателями - Хакер

в ФБР сообщали, что инфраструктура First VPN применялась не менее чем 25 вымогательскими группировками, включая Avaddon

Jul 13
Decipher Sc

US Sanctions First VPN Cybercriminal Service - Decipher

It was used in attacks linked back to at least 25 types of ransomware, such as the Avaddon ransomware.

May 22
Thecyberexpress Com Vulnerabilities

European Agencies Shutter First VPN Service

The U.S. Federal Bureau of Investigation in its Flash Alert confirmed the service to be active since at least 2014 and provided exit node servers in 27 countries. It also concurred that an upwards of 25 ransomware groups, including Avaddon Ransomware, used First VPN Service infrastructure to perform network reconnaissance and intrusions.

Dec 3
Picus Security

Riddle Spider Avaddon Ransomware Analysis and Technical Overview

Emerging in June 2020, the Avaddon ransomware operation rapidly established itself as a significant threat within the cybercrime ecosystem through a highly organized Ransomware-as-a-Service (RaaS) model. The campaign was characterized by its use of double extortion tactics, where victims faced not only the encryption of critical data but also the threat of having sensitive information published on a dedicated leak site if ransom demands were not met. The development and overall management of this RaaS enterprise are attributed to the threat actor tracked as Riddle Spider.

Oct 31
Mitre Attack Website

Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®

Avaddon deletes backups and shadow copies using native system tools.

May 10
Farghlymal Github

Unveiling NoEscape Ransomware: A Deep Dive into Its Tactics and Defenses - Aziz Farghly

The operators claim to have developed the ransomware and the infrastructure from scratch, though it is believed that their ransomware is a rebranding of the Avaddon ransomware.

Mar 25
Mandiant Threat Intelligence

One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant | Google Cloud Blog

Earlier builds of AVADDON ransomware had a User Access Control (UAC) bypass module to abuse CMSTPLUA COM interface... AVADDON Encryption Evolution...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.