SYMBOLCOMMON_NAMEaka. SYNONYMS
win.avaddon (Back to overview)

Avaddon

Actor(s): RIDDLE SPIDER

VTCollection    

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

References
2022-04-12ConnectWiseConnectWise CRU
Threat Profile: Avaddon
Avaddon
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-07-22S2W LAB Inc.TALON
Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit
2021-06-16Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
The Rise & Demise of Multi-Million Ransomware Business Empire
Avaddon
2021-06-11The RecordCatalin Cimpanu
Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys
Avaddon
2021-06-11Bleeping ComputerLawrence Abrams
Avaddon ransomware shuts down and releases decryption keys
Avaddon
2021-06-07ATOSLoïc Castel
Avaddon Ransomware Analysis
Avaddon
2021-05-14The RecordCatalin Cimpanu
Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
DarkSide Avaddon REvil
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-08Australian Signals DirectorateAustralian Cyber Security Centre (ACSC)
2021-003: Ongoing campaign using Avaddon Ransomware
Avaddon
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-01SentinelOneJim Walter
Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage
Avaddon
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-09Javier Yuste, Sergio Pastrana
Avaddon ransomware: an in-depth analysis and decryption of infected systems
Avaddon
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26Medium s2wlabHyunmin Suh
W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-24Bleeping ComputerLawrence Abrams
Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay
Avaddon
2021-01-11Twitter (@dk_samper)Dávid Kosť
Tweet on Initial access of Avaddon Ransomware group from an IR engagement
Avaddon
2020-12-28SwanscanPierguido Iezzi, Swascan Cyber Incident Response Team
Avaddon Ransomware: Incident Response Analysis
Avaddon
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-26AWAKEAshish Gahlot
Threat Hunting for Avaddon Ransomware
Avaddon
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-08Trend MicroTrend Micro Threat Research Team
Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
Avaddon
2020-07-01TG SoftTG Soft
Cyber-Threat Report on the cyber attacks of June 2020 in Italy
Avaddon ISFB
2020-06-12ThreatConnectThreatConnect Research Team
Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-06-11Twitter (@Securityinbits)Security-in-Bits
Tweet on Avaddon ransomware with Python script for decrypting strings
Avaddon
2020-06-05HornetsecuritySecurity Lab
Avaddon: From seeking affiliates to in-the-wild in 2 days
Avaddon
2020-05-31ESET ResearchFacundo Muñoz
Ransomware Avaddon: principales características
Avaddon
Yara Rules
[TLP:WHITE] win_avaddon_auto (20230808 | Detects win.avaddon.)
rule win_avaddon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.avaddon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 83e4f8 8b11 83ec14 0faf5104 53 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   83ec14               | sub                 esp, 0x14
            //   0faf5104             | imul                edx, dword ptr [ecx + 4]
            //   53                   | push                ebx

        $sequence_1 = { 52 50 e8???????? 8bf0 8bfa 8b4508 03f3 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8bfa                 | mov                 edi, edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   03f3                 | add                 esi, ebx

        $sequence_2 = { 8d4dcc e9???????? 8d4d88 e9???????? 8d4db4 e9???????? 8d4de4 }
            // n = 7, score = 200
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e9????????           |                     
            //   8d4d88               | lea                 ecx, [ebp - 0x78]
            //   e9????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e9????????           |                     
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]

        $sequence_3 = { 8b4df0 e9???????? 8d4dbc e9???????? 8b542408 8d420c 8b4ac0 }
            // n = 7, score = 200
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e9????????           |                     
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b4ac0               | mov                 ecx, dword ptr [edx - 0x40]

        $sequence_4 = { 57 56 e8???????? 83c408 85c0 7535 837e6402 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7535                 | jne                 0x37
            //   837e6402             | cmp                 dword ptr [esi + 0x64], 2

        $sequence_5 = { 8bd0 e8???????? 8b5604 83c404 }
            // n = 4, score = 200
            //   8bd0                 | mov                 edx, eax
            //   e8????????           |                     
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   83c404               | add                 esp, 4

        $sequence_6 = { ff75b4 e8???????? 83c408 47 897dac 81fffe000000 0f8654feffff }
            // n = 7, score = 200
            //   ff75b4               | push                dword ptr [ebp - 0x4c]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   47                   | inc                 edi
            //   897dac               | mov                 dword ptr [ebp - 0x54], edi
            //   81fffe000000         | cmp                 edi, 0xfe
            //   0f8654feffff         | jbe                 0xfffffe5a

        $sequence_7 = { 8bc8 2bce 0fafcb 890a 83c204 8b4de4 41 }
            // n = 7, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   0fafcb               | imul                ecx, ebx
            //   890a                 | mov                 dword ptr [edx], ecx
            //   83c204               | add                 edx, 4
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   41                   | inc                 ecx

        $sequence_8 = { 034b08 4e 8b4588 6a00 52 51 56 }
            // n = 7, score = 200
            //   034b08               | add                 ecx, dword ptr [ebx + 8]
            //   4e                   | dec                 esi
            //   8b4588               | mov                 eax, dword ptr [ebp - 0x78]
            //   6a00                 | push                0
            //   52                   | push                edx
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_9 = { 8d4dd8 e8???????? c645fc0d 8b4f14 3b4f18 7437 c7411000000000 }
            // n = 7, score = 200
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   c645fc0d             | mov                 byte ptr [ebp - 4], 0xd
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   3b4f18               | cmp                 ecx, dword ptr [edi + 0x18]
            //   7437                 | je                  0x39
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0

    condition:
        7 of them and filesize < 2343936
}
[TLP:WHITE] win_avaddon_w0   (20200902 | Detects Avaddon ransomware)
rule win_avaddon_w0 {
    meta:
        description = "Detects Avaddon ransomware"
        author = "@VK_Intel, modified by @r0ny_123"
        reference = "https://twitter.com/VK_Intel/status/1300944441390370819"
        tlp = "white"
        date = "2020-09-01"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20200902"
        malpedia_hash = ""
        malpedia_version = "20200902"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str0 = "rcid"
        $str1 = "hdd"
        $str2 = "lang"
        $cfg_parser = { 55 8b ec 6a ff 68 74 d8 46 00 64 ?? ?? ?? ?? ?? 50 81 ec 3c 02 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 57 50 8d ?? ?? 64 ?? ?? ?? ?? ?? 8b f1 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 83 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 85 c0 0f ?? ?? ?? ?? ?? b9 10 00 00 00 c7 ?? ?? ?? ?? ?? ?? 3b c1 c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 50 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 83 f8 10 0f ?? ?? ?? ?? ?? 83 c0 f0 b9 20 00 00 00 3b c1 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 83 c0 10 8d ?? ?? 50 e8 ?? ?? ?? ?? c6 ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? f3 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ??}
        $crypt_imp_seq_0 = { 83 ?? ?? ?? 8b c7 c7 ?? ?? ?? ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 51 6a 00 6a 01 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 [3-6] 8b ?? ?? ff ?? ?? ?? ?? ?? 56 6a 00 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 [2-6] 83 ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 50 56 6a 01 6a 00 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? [0-3] 8d ?? ?? 50 6a 00 6a 00 ff ?? ?? 56 ff ?? ?? ff ?? ?? ?? ?? ?? }
    condition:
        uint16(0) == 0x5a4d and 1 of ($str*) and ($cfg_parser or $crypt_imp_seq_0)
}
Download all Yara Rules