Avaddon Ransomware

Avaddon Ransomware: A Double Extortion Threat That Targeted Organizations Worldwide

Avaddon ransomware is a file-encrypting malware that first appeared in mid-2019 and became widely known in 2020 and 2021 for its double extortion tactics. It not only encrypted victims' files but also exfiltrated sensitive data, threatening to leak stolen information unless the ransom was paid. Avaddon operated as a ransomware-as-a-service (RaaS), recruiting affiliates to spread the malware in exchange for a share of the profits.

Introduction to Avaddon Ransomware

Avaddon ransomware campaigns typically began with phishing emails, often using malicious attachments or links leading to malicious macros. Once inside a system, Avaddon encrypted files with strong encryption algorithms and delivered ransom notes demanding Bitcoin payments. Victims were also extorted with the threat of data leaks on a dedicated leak site if they refused to pay.

---

1. How Avaddon Ransomware Worked

Infection Mechanism:

• Avaddon was mainly distributed via phishing campaigns, with malicious attachments containing JavaScript files, Excel macros, or malicious links.
• It exploited brute-force attacks against Remote Desktop Protocol (RDP) to gain unauthorized access.
• After initial compromise, the ransomware spread laterally across networks, using stolen credentials and network scanning tools.

Encryption Process:

• Avaddon used AES and RSA encryption algorithms to lock files, appending the .avdn extension to encrypted files.
• Victims were presented with a ransom note file, typically named [random_string]-readme.txt, providing instructions for payment and data recovery.
• In double extortion cases, stolen data was threatened with exposure on Avaddon’s dark web leak site.

---

2. History and Notable Campaigns

Origin and Discovery:

• First observed in June 2020, Avaddon quickly became a top RaaS operation, targeting victims globally.
• Its operators provided user-friendly interfaces for affiliates, simplifying ransomware deployment.

Notable Campaigns:

• Avaddon targeted financial institutions, manufacturing, healthcare, and government organizations.
• In 2021, Avaddon launched widespread campaigns, prompting CISA and the FBI to issue joint security alerts due to the scale and impact of its operations.

---

3. Targets and Impact

Targeted Victims and Sectors:

• Victims included large enterprises, municipal governments, healthcare providers, and critical infrastructure sectors.
• Focused on high-value data and vulnerable remote access services, particularly RDP.

Consequences:

• Victims faced disruption of operations, data breaches, and reputational damage from leaked data.
• Ransom demands often ranged from $50,000 to several million USD in Bitcoin.
• After a global crackdown on ransomware, Avaddon shut down in June 2021, releasing 2,934 decryption keys to affected victims.

---

4. Technical Details

Payload Capabilities:

• File Encryption: Utilized robust AES and RSA encryption algorithms.
• Data Exfiltration: Stole sensitive files before encryption to enable double extortion.
• Persistence: Created scheduled tasks and modified registry keys to maintain control.
• Lateral Movement: Used Mimikatz to harvest credentials and move within the network.

Evasion Techniques:

• Detected sandbox and virtual environments to evade analysis.
• Delayed execution and code obfuscation to bypass security tools.
• Disabled Windows Defender and other endpoint security software.

---

5. Preventing Avaddon Ransomware Infections

Best Practices:

• Implement multi-factor authentication (MFA) on all remote access services.
• Disable unused RDP ports and enforce strong password policies.
• Regularly update and patch systems to close known vulnerabilities.
• Conduct user awareness training on phishing and ransomware threats.

Recommended Security Tools:

• Endpoint detection and response (EDR) solutions for early ransomware detection.
• Network monitoring tools to detect lateral movement and data exfiltration.
• Email security gateways with anti-phishing and attachment scanning capabilities.

---

6. Detecting and Removing Avaddon Ransomware

Indicators of Compromise (IoCs):

• Files with the .avdn extension.
• Presence of ransom note files titled [random_string]-readme.txt.
• Suspicious outbound traffic to command-and-control (C2) servers.
• Unauthorized RDP login attempts and Mimikatz activity.

Removal Steps:

1. Immediately isolate infected machines from the network.
2. Use forensic tools to identify the infection vector and compromised accounts.
3. Deploy antivirus and EDR tools to remove malware components.
4. Restore data from offline backups or use decryption tools, where available (provided after Avaddon's shutdown in 2021).

Professional Help:
Businesses with widespread infections should engage cybersecurity incident response teams to manage recovery and investigate data breaches.

---

7. Response to an Avaddon Attack

Immediate Steps:

• Notify internal teams, law enforcement, and relevant regulatory bodies.
• Begin containment and eradication steps, including credential resets and patching exploited vulnerabilities.
• Evaluate the extent of data theft and prepare for potential public disclosure.

---

8. Legal and Ethical Implications

Legal Considerations:

• Potential regulatory fines and legal action if sensitive customer data was leaked.
• Compliance with GDPR, CCPA, and other data protection laws may require disclosure and notification.

Ethical Considerations:

• Paying ransoms may encourage further criminal activity, but some organizations face ethical dilemmas when critical operations are affected.

---

9. Resources and References

• FBI Public Advisories on ransomware and double extortion tactics
• CISA StopRansomware
• No More Ransom Project: Decryption tools and resources
• Acronis Blog: Avaddon ransomware cleans the bin for you
• Malwarebytes Labs: Ransom.Avaddon
• Sophos News: What to expect when you’ve been hit with Avaddon ransomware
• Trend Micro Security News: Ransomware Report, Avaddon and New Techniques Emerge, Industrial Sector Targeted

---

10. FAQs about Avaddon Ransomware

Q: What is Avaddon ransomware?
Avaddon is a ransomware strain that encrypts files and exfiltrates data, threatening victims with double extortion unless a ransom is paid.

Q: How did Avaddon spread?
It spread via phishing emails, malicious attachments, brute-force attacks on RDP, and exploit kits.

Q: Is there a decryption tool for Avaddon?
Yes, in June 2021, Avaddon's operators released free decryption keys, and tools are available from the No More Ransom Project.

---

11. Conclusion

Avaddon ransomware exemplified the double extortion model, combining data encryption with threats of public data leaks to increase ransom payments. Its RaaS model and global reach made it a significant player in the ransomware ecosystem until its shutdown in 2021, offering lessons on the importance of cybersecurity hygiene, proactive defenses, and incident response readiness.

 

 

« Back to the Virus Information Library

« Back to the Security Center