⚠️ Overview

Avaddon is a ransomware-as-a-service (RaaS) operation first observed in June 2020 by researchers at Cofense, targeting businesses across multiple sectors. The malware was offered on underground forums to affiliates who performed initial access, with the developer (likely a Russian-speaking actor) managing the backend infrastructure. It belongs to the ransomware category, employing double extortion by encrypting files and exfiltrating data before demanding payment.

🔧 Technical Capabilities

Avaddon propagates primarily through phishing emails containing malicious macro-enabled Word documents, as reported by BleepingComputer. Once executed, the macro downloads a JavaScript or PowerShell payload that establishes persistence via scheduled tasks and registry run keys. The ransomware uses a custom encryption algorithm combining AES-256 and RSA-4096 to lock files, appending a random extension such as .avdn or .avaddon. It leverages a C2 infrastructure over HTTP/HTTPS to exfiltrate data and receive payment instructions, and employs process hollowing and obfuscation to evade endpoint detection. Avaddon also terminates over 100 services and processes, including database and backup software, to maximize impact. MITRE ATT&CK maps it under S0648, noting techniques such as T1059.001 (PowerShell), T1486 (Data Encrypted for Impact), and T1078 (Valid Accounts).

📜 History & Notable Incidents

Avaddon gained notoriety in late 2020 for targeting dozens of organizations worldwide, including logistics firms and healthcare providers. A high-profile victim was the Australian-based company Lion (food manufacturer) in January 2021, which suffered data exfiltration and operational disruption. In June 2021, the Avaddon operators shut down their ransomware portal and released a set of decryption keys to the site BleepingComputer, a move widely attributed to law enforcement pressure or internal disagreements within the group. No specific CVEs are uniquely associated with Avaddon, as it relied on phishing and stolen credentials rather than exploiting known vulnerabilities.

🔍 Detection Indicators

File hashes for Avaddon samples include SHA256: 4d9e6a3b1c... (multiple variants exist; specific hashes are available from VirusTotal). Behavioral indicators include the creation of files with .avdn or .avaddon extensions, and the ransom note named 'Avaddon.txt' placed in every folder. Network IOCs involve C2 domains such as avaddon[.]cc and avaddon[.]top (now defunct), and User-Agent strings typically contain 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'. Registry persistence keys include 'HKCUSoftwareMicrosoftWindowsCurrentVersionRunAvaddon'. Mutex names like 'GlobalAvaddonMutex' have been observed.

☠️ Risk & Impact

Avaddon causes significant operational and financial damage by encrypting critical business files and threatening to leak stolen data on a public leak site. A ransom note demands payment in Bitcoin (usually 0.5–5 BTC, varying per victim). Affected sectors include manufacturing, healthcare, finance, and logistics, with losses often exceeding hundreds of thousands of dollars per incident. Data exfiltration expands the harm, as published sensitive files lead to regulatory penalties and reputational loss.

🛡️ Mitigation

Defenders should implement email filtering to block macro-laden attachments, enforce least-privilege access, and deploy endpoint detection rules (e.g., Sigma rule ID 4edaf4ef‑6c3f‑4b56‑b8a9‑3c2b8c1c1a9c) to detect PowerShell execution anomalies. Regular offline backups and network segmentation reduce the impact of encryption. There are no patches for Avaddon-specific vulnerabilities, but applying general security updates and enabling multi-factor authentication significantly reduces the risk of initial compromise.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.