Avaddon (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.avaddon (Back to overview)

Avaddon

Actor(s): RIDDLE SPIDER

VTCollection

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

References

2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU
Threat Profile: Avaddon
Avaddon

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-07-22 ⋅ S2W LAB Inc. ⋅ TALON
Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit

2021-06-16 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
The Rise & Demise of Multi-Million Ransomware Business Empire
Avaddon

2021-06-11 ⋅ The Record ⋅ Catalin Cimpanu
Cybercrime Featured Avaddon ransomware operation shuts down and releases decryption keys
Avaddon

2021-06-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Avaddon ransomware shuts down and releases decryption keys
Avaddon

2021-06-07 ⋅ ATOS ⋅ Loïc Castel
Avaddon Ransomware Analysis
Avaddon

2021-05-14 ⋅ The Record ⋅ Catalin Cimpanu
Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
DarkSide Avaddon REvil

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-08 ⋅ Australian Signals Directorate ⋅ Australian Cyber Security Centre (ACSC)
2021-003: Ongoing campaign using Avaddon Ransomware
Avaddon

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-01 ⋅ SentinelOne ⋅ Jim Walter
Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage
Avaddon

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-09 ⋅ Javier Yuste, Sergio Pastrana
Avaddon ransomware: an in-depth analysis and decryption of infected systems
Avaddon

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-26 ⋅ Medium s2wlab ⋅ Hyunmin Suh
W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit

2021-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Another ransomware (Avaddon) now uses DDoS attacks to force victims to pay
Avaddon

2021-01-11 ⋅ Twitter (@dk_samper) ⋅ Dávid Kosť
Tweet on Initial access of Avaddon Ransomware group from an IR engagement
Avaddon

2020-12-28 ⋅ ⋅ Swanscan ⋅ Pierguido Iezzi, Swascan Cyber Incident Response Team
Avaddon Ransomware: Incident Response Analysis
Avaddon

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-10-26 ⋅ AWAKE ⋅ Ashish Gahlot
Threat Hunting for Avaddon Ransomware
Avaddon

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-07-08 ⋅ Trend Micro ⋅ Trend Micro Threat Research Team
Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
Avaddon

2020-07-01 ⋅ ⋅ TG Soft ⋅ TG Soft
Cyber-Threat Report on the cyber attacks of June 2020 in Italy
Avaddon ISFB

2020-06-12 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky

2020-06-11 ⋅ Twitter (@Securityinbits) ⋅ Security-in-Bits
Tweet on Avaddon ransomware with Python script for decrypting strings
Avaddon

2020-06-05 ⋅ Hornetsecurity ⋅ Security Lab
Avaddon: From seeking affiliates to in-the-wild in 2 days
Avaddon

2020-05-31 ⋅ ⋅ ESET Research ⋅ Facundo Muñoz
Ransomware Avaddon: principales características
Avaddon

Yara Rules

[TLP:WHITE] win_avaddon_auto (20241030 | Detects win.avaddon.)

rule win_avaddon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.avaddon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 56 ff15???????? 85c0 7527 ff15???????? 3d16000980 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7527                 | jne                 0x29
            //   ff15????????         |                     
            //   3d16000980           | cmp                 eax, 0x80090016

        $sequence_1 = { f20f100d???????? 0fb6c0 f20f5cca 660f6ec0 f30fe6c0 0fb6c2 f20f59c8 }
            // n = 7, score = 200
            //   f20f100d????????     |                     
            //   0fb6c0               | movzx               eax, al
            //   f20f5cca             | subsd               xmm1, xmm2
            //   660f6ec0             | movd                xmm0, eax
            //   f30fe6c0             | cvtdq2pd            xmm0, xmm0
            //   0fb6c2               | movzx               eax, dl
            //   f20f59c8             | mulsd               xmm1, xmm0

        $sequence_2 = { ff75d4 ffd6 c745fcffffffff 8b75ac 8945b4 85f6 }
            // n = 6, score = 200
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   ffd6                 | call                esi
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b75ac               | mov                 esi, dword ptr [ebp - 0x54]
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   85f6                 | test                esi, esi

        $sequence_3 = { 8b5db8 037014 0375cc 8b4308 0faf45f0 03c2 }
            // n = 6, score = 200
            //   8b5db8               | mov                 ebx, dword ptr [ebp - 0x48]
            //   037014               | add                 esi, dword ptr [eax + 0x14]
            //   0375cc               | add                 esi, dword ptr [ebp - 0x34]
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   0faf45f0             | imul                eax, dword ptr [ebp - 0x10]
            //   03c2                 | add                 eax, edx

        $sequence_4 = { 83781408 8b7810 7202 8b08 ff75a8 8bd7 6a01 }
            // n = 7, score = 200
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   8b7810               | mov                 edi, dword ptr [eax + 0x10]
            //   7202                 | jb                  4
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff75a8               | push                dword ptr [ebp - 0x58]
            //   8bd7                 | mov                 edx, edi
            //   6a01                 | push                1

        $sequence_5 = { 3dffffff7f 7743 03c0 56 50 e8???????? 8bf0 }
            // n = 7, score = 200
            //   3dffffff7f           | cmp                 eax, 0x7fffffff
            //   7743                 | ja                  0x45
            //   03c0                 | add                 eax, eax
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 84c9 754e 8b4e14 03c7 3bc1 7239 8b06 }
            // n = 7, score = 200
            //   84c9                 | test                cl, cl
            //   754e                 | jne                 0x50
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   03c7                 | add                 eax, edi
            //   3bc1                 | cmp                 eax, ecx
            //   7239                 | jb                  0x3b
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_7 = { 0faf5708 8b4f14 0faf5704 0faf17 03d1 3bca 734c }
            // n = 7, score = 200
            //   0faf5708             | imul                edx, dword ptr [edi + 8]
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   0faf5704             | imul                edx, dword ptr [edi + 4]
            //   0faf17               | imul                edx, dword ptr [edi]
            //   03d1                 | add                 edx, ecx
            //   3bca                 | cmp                 ecx, edx
            //   734c                 | jae                 0x4e

        $sequence_8 = { 8b85fcfeffff 83c204 40 3b8570ffffff 8985fcfeffff 8b85d8feffff 0f8ce9feffff }
            // n = 7, score = 200
            //   8b85fcfeffff         | mov                 eax, dword ptr [ebp - 0x104]
            //   83c204               | add                 edx, 4
            //   40                   | inc                 eax
            //   3b8570ffffff         | cmp                 eax, dword ptr [ebp - 0x90]
            //   8985fcfeffff         | mov                 dword ptr [ebp - 0x104], eax
            //   8b85d8feffff         | mov                 eax, dword ptr [ebp - 0x128]
            //   0f8ce9feffff         | jl                  0xfffffeef

        $sequence_9 = { ff10 8b45e4 83f808 7213 8d044502000000 50 ff75d0 }
            // n = 7, score = 200
            //   ff10                 | call                dword ptr [eax]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   83f808               | cmp                 eax, 8
            //   7213                 | jb                  0x15
            //   8d044502000000       | lea                 eax, [eax*2 + 2]
            //   50                   | push                eax
            //   ff75d0               | push                dword ptr [ebp - 0x30]

    condition:
        7 of them and filesize < 2343936
}

[TLP:WHITE] win_avaddon_w0 (20200902 | Detects Avaddon ransomware)

rule win_avaddon_w0 {
    meta:
        description = "Detects Avaddon ransomware"
        author = "@VK_Intel, modified by @r0ny_123"
        reference = "https://twitter.com/VK_Intel/status/1300944441390370819"
        tlp = "white"
        date = "2020-09-01"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon"
        malpedia_rule_date = "20200902"
        malpedia_hash = ""
        malpedia_version = "20200902"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str0 = "rcid"
        $str1 = "hdd"
        $str2 = "lang"
        $cfg_parser = { 55 8b ec 6a ff 68 74 d8 46 00 64 ?? ?? ?? ?? ?? 50 81 ec 3c 02 00 00 a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 57 50 8d ?? ?? 64 ?? ?? ?? ?? ?? 8b f1 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 83 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 85 c0 0f ?? ?? ?? ?? ?? b9 10 00 00 00 c7 ?? ?? ?? ?? ?? ?? 3b c1 c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 50 8d ?? ?? e8 ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 83 f8 10 0f ?? ?? ?? ?? ?? 83 c0 f0 b9 20 00 00 00 3b c1 0f 42 c8 83 ?? ?? ?? 8d ?? ?? 0f ?? ?? ?? 51 83 c0 10 8d ?? ?? 50 e8 ?? ?? ?? ?? c6 ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 0f ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? 8d ?? ?? ?? ?? ?? 8b ?? 51 8b ce ff ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? ?? f3 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ??}
        $crypt_imp_seq_0 = { 83 ?? ?? ?? 8b c7 c7 ?? ?? ?? ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 51 6a 00 6a 01 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 [3-6] 8b ?? ?? ff ?? ?? ?? ?? ?? 56 6a 00 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 [2-6] 83 ?? ?? ?? 72 ?? 8b ?? 6a 00 6a 00 8d ?? ?? 50 56 6a 01 6a 00 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? [0-3] 8d ?? ?? 50 6a 00 6a 00 ff ?? ?? 56 ff ?? ?? ff ?? ?? ?? ?? ?? }
    condition:
        uint16(0) == 0x5a4d and 1 of ($str*) and ($cfg_parser or $crypt_imp_seq_0)
}

Download all Yara Rules

Avaddon Propose Change

References

Yara Rules

Avaddon