Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage

The Avaddon ransomware family was first sighted in the wild in February 2020, but fully emerged as a robust Ransomware-as-a-Service (RaaS) model in June of that year. Over the last 9 months or so, the operator behind Avaddon has been successful in building a strong and reliable brand, moving quickly to support affiliates with an update after security researchers released a public decryptor in February 2021. Since then, we have observed a spike in Avaddon activity and note that the actor is actively engaged in developing “Version 2” of this aggressive RaaS offering.

In this post, we detail the rapid development of Avaddon, highlighting the malware author’s ability to adapt to circumstances and maximize payouts for Avaddon affiliates.

Avaddon RaaS Overview

After initial sightings in attacks from February 2020 onwards, Avaddon fully emerged as a RaaS in June of 2020. It was heavily promoted in underground markets as a fast, bespoke, highly-configurable, and well-supported ransomware service.

The Avaddon operator offered partners fairly standard terms with the RaaS taking an initial 25% cut but willing to drop that percentage for higher volume affiliates. Over the following months, Avaddon became one of the more aggressive ransomware groups targeting both individuals and businesses. Following the model of other RaaS families that came before it, Avaddon soon put up a blog site dedicated to leaking victim data should victims fail to pay the ransom demand.

Since its inception, Avaddon refused to accept affiliates targeting CIS (Commonwealth of Independant States) countries. This is in addition to being critical of any dealings with non-Russian-native speaking individuals.

Right out of the gate, Avaddon touted their speed, configurability, and robust feature set. The first version of Avaddon was advertised with the following features:

  • Unique payloads written in C++
  • File encryption via AES256 + RSA2048, supporting full-file encryption & custom parameters
  • Full offline support, initial contact to C2 not required
  • “Impossible” 3rd party decryption
  • Support for Windows 7 and higher
  • Multi-threaded file encryption for max performance
  • Encryption of all local and remote (and accessible) drives
  • IOCP Support for parallel file encryption
  • Persistently encrypts newly written files and newly connected media
  • Ability to spread across network shares (SMB, DFS)
  • Multiple delivery options (script, PowerShell, .EXE payload, .DLL)
  • Payload executes as administrator
  • Encrypts hidden files and volumes
  • Removes trash, Volume Shadow Copies (VSS), and other restore points
  • Termination of processes which inhibit encryption of files
  • Configurable ransom note behavior

Initially, affiliates were able to build and manage their payload via an elegant administration panel hosted via TOR (.onion). The panel allowed for management of specific campaigns, payment types and behaviors, victim tracking and management. It also served as the portal to Avaddon’s technical support resources.

Over the following weeks, Avaddon picked up a great amount of momentum, continued to advertise for recruitments and boasted about their coverage in the press.

In the second half of 2020, Avaddon continued to build its infected base, while also continuing to upgrade the service and payloads.

As AV engines began adding detection rules for Avaddon, the operator responded with frequent updates to ensure the desired level of stealth. In late June 2020, the malware added the option to launch payloads via PowerShell.

In August 2020, some more significant upgrades to the service came in the form of 24/7 support. The actors indicated at the time that 24×7 support for affiliates was now available via chat and ticketing systems.

In addition, Avaddon was one of the early adopters of additional extortion methods to taunt and advertise the breach of non-compliant victims, including the use of targeted advertisements. The authors continued to improve the payloads themselves with better Distributed File System (DFS) support, different encryption mechanisms, and DLL payload support.

New Year 2021 brought further changes to the Avaddon platform. In January, the actor added support for Windows XP and 2003 in the payloads, as well as tweaks to the encryption feature set. Notably, Avaddon was one of the first to add DDoS attacks as yet another intimidation mechanism to their arsenal: If clients failed to comply with the ransom demands, they stood to experience a damaging DDoS attack in addition to their data being leaked to the public, and any tarnishing of their reputation as a result of the breach.

Everything seemed to be going well for the Avaddon RaaS, but then they hit a hurdle.

Avaddon Public Decrypter

In early 2021, a decryption tool for Avaddon was released by Bitdefender. Additionally, an open-source decryptor was also released by researcher Javier Yuste based on his extensive paper detailing the internals of Avaddon.

Under the hood, Avaddon payloads were storing the ‘secret’ session keys for encryption in memory. This allowed analysts and researchers to locate the data and extract the key for analysis and eventual development of the decryption tool. The tool was widely released, and posted to NoMoreRansom.org.

During this period, we even observed actors behind Babuk ransomware offering technical assistance to the Avaddon actors.

Those behind Avaddon were quick to pivot and move to a different model altogether, nullifying the effect of the decryptor. They also offered affiliates an 80% cut for a full month as compensation.

Following the requisite upgrades to address the encryption issues, Avaddon continued to update their services and toolset, in addition to becoming more aggressive with recruitment. February 2021 also saw the addition of Monero support.

Subsequently, we have observed a spike in Avaddon activity, including new victim entries on their blog. The actor’s most recent public statements indicate that the development of Avaddon V2 is well underway.

Avaddon RaaS Technical Breakdown

In the majority of cases, the initial delivery vector for Avaddon is via phishing email. However, affiliates have been known to use RDP along with exploitation of network-centric vulnerabilities. We have observed malicious emails with attached .js payloads, which in turn retrieve the Avaddon payloads from a remote location. In some cases, threat actors have simply attached the ransomware directly to the email messages.

Avaddon payloads perform checks to insure they are not executing on a victim device located in certain regions of CIS.

The GetUserDefaultLCID() function (and/or GetKeyboardLayout()) is used to determine the users’ default locale. The following countries are most frequently excluded from execution:

  • Russia
  • Cherokee Nation
  • Ukraine
  • Tatar
  • Yakut
  • Sakha

A commonly used UAC bypass technique is utilized to ensure that the threat is running with the required privileges. Specifically, this is a UAC bypass via CMSTPLUA COM interface.

Existing Windows tools and utilities are used to manipulate and disable system recovery options, backups, and Volume Shadow Copies. Some syntax can vary across variants. WMIC.EXE is typically used to remove VSS via SHADOWCOPY DELETE /nointeractive.

We have also observed the following commands issued by Avaddon payloads:

  • bcdedit.exe /set {default} recoveryenabled No
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • vssadmin.exe Delete Shadows /All /Quiet
  • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

While there have been changes to Avaddon’s encryption routine to combat 3rd party decryption, the historic flow, simplified, would be:

  1. Generation of session Key (AES 256)
  2. Update master key (AES 256)
  3. Master key encrypts relevant user and environment data, along with the ransom note (typically Base64)
  4. Files are encrypted via the session key
  5. Append encrypted session key (RSA 2048) to the end of each encrypted file

Avaddon Evasion Techniques

Avaddon can be configured to terminate specific processes. This is frequently done to target security products or processes which might interfere with the encryption process. An example process list would be:


Avaddon has also been known to prioritize the encryption of Microsoft Exchange-related directories.

Most Avaddon payloads will exclude the following critical OS locations from encryption:


Persistence mechanisms can also vary, and we have observed variations of Avaddon that utilize the creation of a new Windows service, as well as the use of scheduled tasks for persistence.

Avaddon Post-Infection Behavior

Infected files are renamed with an extension consisting of randomly generated letters. These extensions are unique for each victim.

Earlier versions of Avaddon would also replace the infected hosts’ wallpaper image. The current version presents victims with a ransom note as shown below. Victims are warned that aside from their data being encrypted, the actors “have also downloaded a lot of private data from your network”.

Victims are instructed to visit the Avaddon payment portal via the TOR browser, where they must enter their unique ID (found in the ransom note) to proceed.

The actors behind Avaddon do not wait for victims to become non-compliant before they are named and shamed on the blog. Company names appear with a timer, counting down to the posting time for any data stolen from the targeted environment.

It is important to note that victims appear on the leak site at the point when they are breached, and not just when the actor decides to release their data. This means that a company breach could easily become public knowledge regardless of any action taken by the victim, and potentially at a time where the target company would rather ‘control the release’ of that type of information.

At the time of writing, there are just over sixty companies listed, 19 of which include fully released dumps of sensitive information.

Avaddon does not appear to have any particular preference or scruples when it comes to targets. Whereas some ransomware groups have backed off certain types of targets during the ongoing pandemic, Avaddon victims to date include healthcare-related entities. That said, the most represented industries in their victimology are Information Technology & Services, Food Production, Legal Services, and Manufacturing.


Avaddon is another successful example of the current RaaS model. lt has appeared on the scene and made an impact very quickly. The actors are disciplined with regard to whom they will accept as an affiliate, which ensures some degree of longevity and exclusivity. In addition, they very quickly adopted the more aggressive extortion techniques tied to modern ransomware families. This not only includes the public leaking of data but also the threat of DDoS attacks, personal threats, and advertisement-based taunting.

All of these, along with tight payment requirements for the victims, have put Avaddon in a potentially powerful position. They have yet to garner quite the same amount of media attention as predecessors such as Maze and Egregor, but there is no reason to believe that Avaddon is any less dangerous. At this time, those behind Avaddon are highly-engaged with their community and actively developing and iterating in response to security research and detection. With Avaddon version 2 on the horizon, we only expect to see increased activity from this actor as we move further into 2021.

Indicators of Compromise




T1027 Obfuscated Files or Information
T1497.001 Virtualization/Sandbox Evasion / System Checks
T1202 Indirect Command Execution
T1078 Valid Accounts
T1562.001 Impair Defenses: Disable or Modify Tools
T1070.004 Indicator Removal on Host / File Deletion
T1112 Modify Registry
T1012 Query Registry
T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1490 Inhibit System Recovery
T1548.002 Abuse Elevation Control Mechanism / Bypass User Account Control
T1566 Phishing
T1498.001 Network Denial of Service / Direct Network Flood
T1486 Data Encrypted for Impact
T1543.003 Create or Modify System Process: Windows Service