Avaddon (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.avaddon (Back to overview)

Avaddon

Actor(s): RIDDLE SPIDER

VTCollection

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

References

2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU
Threat Profile: Avaddon
Avaddon

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-07-22 ⋅ S2W LAB Inc. ⋅ TALON
Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit

2021-06-16 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
The Rise & Demise of Multi-Million Ransomware Business Empire
Avaddon

2021-06-11 ⋅ The Record ⋅ Catalin Cimpanu
Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys
Avaddon

2021-06-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Avaddon ransomware shuts down and releases decryption keys
Avaddon

2021-06-07 ⋅ ATOS ⋅ Loïc Castel
Avaddon Ransomware Analysis
Avaddon

2021-05-14 ⋅ The Record ⋅ Catalin Cimpanu
Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
DarkSide Avaddon REvil

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-08 ⋅ Australian Signals Directorate ⋅ Australian Cyber Security Centre (ACSC)
2021-003: Ongoing campaign using Avaddon Ransomware
Avaddon

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-01 ⋅ SentinelOne ⋅ Jim Walter
Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage
Avaddon

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-09 ⋅ Javier Yuste, Sergio Pastrana
Avaddon ransomware: an in-depth analysis and decryption of infected systems
Avaddon

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-26 ⋅ Medium s2wlab ⋅ Hyunmin Suh
W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit

2021-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay
Avaddon

2021-01-11 ⋅ Twitter (@dk_samper) ⋅ Dávid Kosť
Tweet on Initial access of Avaddon Ransomware group from an IR engagement
Avaddon

2020-12-28 ⋅ ⋅ Swanscan ⋅ Pierguido Iezzi, Swascan Cyber Incident Response Team
Avaddon Ransomware: Incident Response Analysis
Avaddon

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-10-26 ⋅ AWAKE ⋅ Ashish Gahlot
Threat Hunting for Avaddon Ransomware
Avaddon

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-07-08 ⋅ Trend Micro ⋅ Trend Micro Threat Research Team
Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
Avaddon

2020-07-01 ⋅ ⋅ TG Soft ⋅ TG Soft
Cyber-Threat Report on the cyber attacks of June 2020 in Italy
Avaddon ISFB

2020-06-12 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky

2020-06-11 ⋅ Twitter (@Securityinbits) ⋅ Security-in-Bits
Tweet on Avaddon ransomware with Python script for decrypting strings
Avaddon

2020-06-05 ⋅ Hornetsecurity ⋅ Security Lab
Avaddon: From seeking affiliates to in-the-wild in 2 days
Avaddon

2020-05-31 ⋅ ⋅ ESET Research ⋅ Facundo Muñoz
Ransomware Avaddon: principales características
Avaddon

Yara Rules

[TLP:WHITE] win_avaddon_auto (20260504 | Detects win.avaddon.)

rule win_avaddon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.avaddon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d044502000000 50 ff758c e8???????? 83c408 c7459c00000000 33c0 }
            // n = 7, score = 200
            //   8d044502000000       | lea                 eax, [eax*2 + 2]
            //   50                   | push                eax
            //   ff758c               | push                dword ptr [ebp - 0x74]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c7459c00000000       | mov                 dword ptr [ebp - 0x64], 0
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { e8???????? 8bb7a0000000 b8abaaaa2a 8b8fa8000000 2bce f7e9 c1fa02 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bb7a0000000         | mov                 esi, dword ptr [edi + 0xa0]
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab
            //   8b8fa8000000         | mov                 ecx, dword ptr [edi + 0xa8]
            //   2bce                 | sub                 ecx, esi
            //   f7e9                 | imul                ecx
            //   c1fa02               | sar                 edx, 2

        $sequence_2 = { 75f5 2bc2 8d4c2410 d1f8 50 8d442450 50 }
            // n = 7, score = 200
            //   75f5                 | jne                 0xfffffff7
            //   2bc2                 | sub                 eax, edx
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   d1f8                 | sar                 eax, 1
            //   50                   | push                eax
            //   8d442450             | lea                 eax, [esp + 0x50]
            //   50                   | push                eax

        $sequence_3 = { c64405f000 40 83f804 72f5 8b0d???????? 33ff 0f1f840000000000 }
            // n = 7, score = 200
            //   c64405f000           | mov                 byte ptr [ebp + eax - 0x10], 0
            //   40                   | inc                 eax
            //   83f804               | cmp                 eax, 4
            //   72f5                 | jb                  0xfffffff7
            //   8b0d????????         |                     
            //   33ff                 | xor                 edi, edi
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]

        $sequence_4 = { 50 ffb508ffffff e8???????? 83c408 33c0 c78518ffffff00000000 c7851cffffff07000000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffb508ffffff         | push                dword ptr [ebp - 0xf8]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax
            //   c78518ffffff00000000     | mov    dword ptr [ebp - 0xe8], 0
            //   c7851cffffff07000000     | mov    dword ptr [ebp - 0xe4], 7

        $sequence_5 = { 89b500ffffff 3bf1 0f8c87fdffff 8b9554ffffff 8bb5f4feffff 46 89b5f4feffff }
            // n = 7, score = 200
            //   89b500ffffff         | mov                 dword ptr [ebp - 0x100], esi
            //   3bf1                 | cmp                 esi, ecx
            //   0f8c87fdffff         | jl                  0xfffffd8d
            //   8b9554ffffff         | mov                 edx, dword ptr [ebp - 0xac]
            //   8bb5f4feffff         | mov                 esi, dword ptr [ebp - 0x10c]
            //   46                   | inc                 esi
            //   89b5f4feffff         | mov                 dword ptr [ebp - 0x10c], esi

        $sequence_6 = { 895df8 8b4f14 8bc1 8b7710 2bc6 8975ec 894df4 }
            // n = 7, score = 200
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   8bc1                 | mov                 eax, ecx
            //   8b7710               | mov                 esi, dword ptr [edi + 0x10]
            //   2bc6                 | sub                 eax, esi
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_7 = { 33f0 8b4514 33f1 8b4d24 3bc1 8bd9 }
            // n = 6, score = 200
            //   33f0                 | xor                 esi, eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   33f1                 | xor                 esi, ecx
            //   8b4d24               | mov                 ecx, dword ptr [ebp + 0x24]
            //   3bc1                 | cmp                 eax, ecx
            //   8bd9                 | mov                 ebx, ecx

        $sequence_8 = { 85d2 0f8ea0020000 8b4dac 8b45a4 0f1f840000000000 33f6 89b500ffffff }
            // n = 7, score = 200
            //   85d2                 | test                edx, edx
            //   0f8ea0020000         | jle                 0x2a6
            //   8b4dac               | mov                 ecx, dword ptr [ebp - 0x54]
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   33f6                 | xor                 esi, esi
            //   89b500ffffff         | mov                 dword ptr [ebp - 0x100], esi

        $sequence_9 = { baffffff7f 8bc2 2bc3 83f801 0f82a4000000 56 8d7301 }
            // n = 7, score = 200
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   8bc2                 | mov                 eax, edx
            //   2bc3                 | sub                 eax, ebx
            //   83f801               | cmp                 eax, 1
            //   0f82a4000000         | jb                  0xaa
            //   56                   | push                esi
            //   8d7301               | lea                 esi, [ebx + 1]

    condition:
        7 of them and filesize < 2343936
}

[TLP:WHITE] win_avaddon_w0 (20200902 | Detects Avaddon ransomware)

rule win_avaddon_w0 {
    meta:
        description = "Detects Avaddon ransomware"
        author = "@VK_Intel, modified by @r0ny_123"
        reference = "https://twitter.com/VK_Intel/status/1300944441390370819"
        tlp = "white"
        date = "2020-09-01"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20200902"
        malpedia_hash = ""
        malpedia_version = "20200902"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str0 = "rcid"
        $str1 = "hdd"
        $str2 = "lang"
        $cfg_parser = { 55 8b ec 6a ff 68 74 d8 46 00 64 ?? ?? ?? ?? ?? 50 81 ec 3c 02 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 57 50 8d ?? ?? 64 ?? ?? ?? ?? ?? 8b f1 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 83 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 85 c0 0f ?? ?? ?? ?? ?? b9 10 00 00 00 c7 ?? ?? ?? ?? ?? ?? 3b c1 c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 50 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 83 f8 10 0f ?? ?? ?? ?? ?? 83 c0 f0 b9 20 00 00 00 3b c1 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 83 c0 10 8d ?? ?? 50 e8 ?? ?? ?? ?? c6 ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? f3 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ??}
        $crypt_imp_seq_0 = { 83 ?? ?? ?? 8b c7 c7 ?? ?? ?? ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 51 6a 00 6a 01 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 [3-6] 8b ?? ?? ff ?? ?? ?? ?? ?? 56 6a 00 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 [2-6] 83 ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 50 56 6a 01 6a 00 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? [0-3] 8d ?? ?? 50 6a 00 6a 00 ff ?? ?? 56 ff ?? ?? ff ?? ?? ?? ?? ?? }
    condition:
        uint16(0) == 0x5a4d and 1 of ($str*) and ($cfg_parser or $crypt_imp_seq_0)
}

Download all Yara Rules

Avaddon Propose Change

References

Yara Rules

Avaddon