{
	"id": "14ef9024-b9e8-4470-a736-85290eea2c17",
	"created_at": "2026-04-06T00:09:55.121068Z",
	"updated_at": "2026-04-10T03:24:39.498446Z",
	"deleted_at": null,
	"sha1_hash": "e74a74de0a5c87fd3f5bfd6a91bd4bd9a6f028e5",
	"title": "Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2901243,
	"plain_text": "Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage\r\n- SentinelLabs\r\nBy Jim Walter\r\nPublished: 2021-04-01 · Archived: 2026-04-05 14:10:50 UTC\r\nThe Avaddon ransomware family was first sighted in the wild in February 2020, but fully emerged as a robust\r\nRansomware-as-a-Service (RaaS) model in June of that year. Over the last 9 months or so, the operator behind\r\nAvaddon has been successful in building a strong and reliable brand, moving quickly to support affiliates with an\r\nupdate after security researchers released a public decryptor in February 2021. Since then, we have observed a\r\nspike in Avaddon activity and note that the actor is actively engaged in developing “Version 2” of this aggressive\r\nRaaS offering.\r\nIn this post, we detail the rapid development of Avaddon, highlighting the malware author’s ability to adapt to\r\ncircumstances and maximize payouts for Avaddon affiliates.\r\nAvaddon RaaS Overview\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 1 of 13\n\nAfter initial sightings in attacks from February 2020 onwards, Avaddon fully emerged as a RaaS in June of 2020.\r\nIt was heavily promoted in underground markets as a fast, bespoke, highly-configurable, and well-supported\r\nransomware service.\r\nThe Avaddon operator offered partners fairly standard terms with the RaaS taking an initial 25% cut but willing to\r\ndrop that percentage for higher volume affiliates. Over the following months, Avaddon became one of the more\r\naggressive ransomware groups targeting both individuals and businesses. Following the model of other RaaS\r\nfamilies that came before it, Avaddon soon put up a blog site dedicated to leaking victim data should victims fail\r\nto pay the ransom demand.\r\nSince its inception, Avaddon refused to accept affiliates targeting CIS (Commonwealth of Independant States)\r\ncountries. This is in addition to being critical of any dealings with non-Russian-native speaking individuals.\r\nRight out of the gate, Avaddon touted their speed, configurability, and robust feature set. The first version of\r\nAvaddon was advertised with the following features:\r\nUnique payloads written in C++\r\nFile encryption via AES256 + RSA2048, supporting full-file encryption \u0026 custom parameters\r\nFull offline support, initial contact to C2 not required\r\n“Impossible” 3rd party decryption\r\nSupport for Windows 7 and higher\r\nMulti-threaded file encryption for max performance\r\nEncryption of all local and remote (and accessible) drives\r\nIOCP Support for parallel file encryption\r\nPersistently encrypts newly written files and newly connected media\r\nAbility to spread across network shares (SMB, DFS)\r\nMultiple delivery options (script, PowerShell, .EXE payload, .DLL)\r\nPayload executes as administrator\r\nEncrypts hidden files and volumes\r\nRemoves trash, Volume Shadow Copies (VSS), and other restore points\r\nTermination of processes which inhibit encryption of files\r\nConfigurable ransom note behavior\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 2 of 13\n\nInitially, affiliates were able to build and manage their payload via an elegant administration panel hosted via TOR\r\n(.onion). The panel allowed for management of specific campaigns, payment types and behaviors, victim tracking\r\nand management. It also served as the portal to Avaddon’s technical support resources.\r\nOver the following weeks, Avaddon picked up a great amount of momentum, continued to advertise for\r\nrecruitments and boasted about their coverage in the press.\r\nIn the second half of 2020, Avaddon continued to build its infected base, while also continuing to upgrade the\r\nservice and payloads.\r\nAs AV engines began adding detection rules for Avaddon, the operator responded with frequent updates to ensure\r\nthe desired level of stealth. In late June 2020, the malware added the option to launch payloads via PowerShell.\r\nIn August 2020, some more significant upgrades to the service came in the form of 24/7 support. The actors\r\nindicated at the time that 24×7 support for affiliates was now available via chat and ticketing systems.\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 3 of 13\n\nIn addition, Avaddon was one of the early adopters of additional extortion methods to taunt and advertise the\r\nbreach of non-compliant victims, including the use of targeted advertisements. The authors continued to improve\r\nthe payloads themselves with better Distributed File System (DFS) support, different encryption mechanisms, and\r\nDLL payload support.\r\nNew Year 2021 brought further changes to the Avaddon platform. In January, the actor added support for Windows\r\nXP and 2003 in the payloads, as well as tweaks to the encryption feature set. Notably, Avaddon was one of the first\r\nto add DDoS attacks as yet another intimidation mechanism to their arsenal: If clients failed to comply with the\r\nransom demands, they stood to experience a damaging DDoS attack in addition to their data being leaked to the\r\npublic, and any tarnishing of their reputation as a result of the breach.\r\nEverything seemed to be going well for the Avaddon RaaS, but then they hit a hurdle.\r\nAvaddon Public Decrypter\r\nIn early 2021, a decryption tool for Avaddon was released by Bitdefender. Additionally, an open-source decryptor\r\nwas also released by researcher Javier Yuste based on his extensive paper detailing the internals of Avaddon.\r\nUnder the hood, Avaddon payloads were storing the ‘secret’ session keys for encryption in memory. This allowed\r\nanalysts and researchers to locate the data and extract the key for analysis and eventual development of the\r\ndecryption tool. The tool was widely released, and posted to NoMoreRansom.org.\r\nDuring this period, we even observed actors behind Babuk ransomware offering technical assistance to the\r\nAvaddon actors.\r\nThose behind Avaddon were quick to pivot and move to a different model altogether, nullifying the effect of the\r\ndecryptor. They also offered affiliates an 80% cut for a full month as compensation.\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 4 of 13\n\nFollowing the requisite upgrades to address the encryption issues, Avaddon continued to update their services and\r\ntoolset, in addition to becoming more aggressive with recruitment. February 2021 also saw the addition of Monero\r\nsupport.\r\nSubsequently, we have observed a spike in Avaddon activity, including new victim entries on their blog. The\r\nactor’s most recent public statements indicate that the development of Avaddon V2 is well underway.\r\nAvaddon RaaS Technical Breakdown\r\nIn the majority of cases, the initial delivery vector for Avaddon is via phishing email. However, affiliates have\r\nbeen known to use RDP along with exploitation of network-centric vulnerabilities. We have observed malicious\r\nemails with attached .js payloads, which in turn retrieve the Avaddon payloads from a remote location. In some\r\ncases, threat actors have simply attached the ransomware directly to the email messages.\r\nAvaddon payloads perform checks to insure they are not executing on a victim device located in certain regions of\r\nCIS.\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 5 of 13\n\nThe GetUserDefaultLCID() function (and/or GetKeyboardLayout() ) is used to determine the users’ default\r\nlocale. The following countries are most frequently excluded from execution:\r\nRussia\r\nCherokee Nation\r\nUkraine\r\nTatar\r\nYakut\r\nSakha\r\nA commonly used UAC bypass technique is utilized to ensure that the threat is running with the required\r\nprivileges. Specifically, this is a UAC bypass via CMSTPLUA COM interface.\r\nExisting Windows tools and utilities are used to manipulate and disable system recovery options, backups, and\r\nVolume Shadow Copies. Some syntax can vary across variants. WMIC.EXE is typically used to remove VSS via\r\nSHADOWCOPY DELETE /nointeractive.\r\nWe have also observed the following commands issued by Avaddon payloads:\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nWhile there have been changes to Avaddon’s encryption routine to combat 3rd party decryption, the historic flow,\r\nsimplified, would be:\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 6 of 13\n\n1. Generation of session Key (AES 256)\r\n2. Update master key (AES 256)\r\n3. Master key encrypts relevant user and environment data, along with the ransom note (typically Base64)\r\n4. Files are encrypted via the session key\r\n5. Append encrypted session key (RSA 2048) to the end of each encrypted file\r\nAvaddon Evasion Techniques\r\nAvaddon can be configured to terminate specific processes. This is frequently done to target security products or\r\nprocesses which might interfere with the encryption process. An example process list would be:\r\n DefWatch\r\n ccEvtMgr\r\n ccSetMgr\r\n SavRoam\r\n dbsrv12\r\n sqlservr\r\n sqlagent\r\n Intuit.QuickBooks.FCS\r\n dbeng8\r\n sqladhlp\r\n QBIDPService\r\n Culserver\r\n RTVscan\r\n vmware-usbarbitator64\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 7 of 13\n\nvmware-converter\r\n VMAuthdService\r\n VMnetDHCP\r\n VMUSBArbService\r\n VMwareHostd\r\n sqlbrowser\r\n SQLADHLP\r\n sqlwriter\r\n msmdsrv\r\n tomcat6\r\n QBCFMonitorService\r\nAvaddon has also been known to prioritize the encryption of Microsoft Exchange-related directories.\r\nMost Avaddon payloads will exclude the following critical OS locations from encryption:\r\n C:PERFLOGS\r\n C:PROGRAM FILES (X86)\r\n C:PROGRAMDATA\r\n C:USERS\u003cUSER\u003eAPPDATA\r\n C:USERS\u003cUSER\u003eAPPDATALOCALTEMP\r\n C:USERSPUBLIC\r\n C:WINDOWS\r\nPersistence mechanisms can also vary, and we have observed variations of Avaddon that utilize the creation of a\r\nnew Windows service, as well as the use of scheduled tasks for persistence.\r\nAvaddon Post-Infection Behavior\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 8 of 13\n\nInfected files are renamed with an extension consisting of randomly generated letters. These extensions are unique\r\nfor each victim.\r\nEarlier versions of Avaddon would also replace the infected hosts’ wallpaper image. The current version presents\r\nvictims with a ransom note as shown below. Victims are warned that aside from their data being encrypted, the\r\nactors “have also downloaded a lot of private data from your network”.\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 9 of 13\n\nVictims are instructed to visit the Avaddon payment portal via the TOR browser, where they must enter their\r\nunique ID (found in the ransom note) to proceed.\r\nThe actors behind Avaddon do not wait for victims to become non-compliant before they are named and shamed\r\non the blog. Company names appear with a timer, counting down to the posting time for any data stolen from the\r\ntargeted environment.\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 10 of 13\n\nIt is important to note that victims appear on the leak site at the point when they are breached, and not just when\r\nthe actor decides to release their data. This means that a company breach could easily become public knowledge\r\nregardless of any action taken by the victim, and potentially at a time where the target company would rather\r\n‘control the release’ of that type of information.\r\nAt the time of writing, there are just over sixty companies listed, 19 of which include fully released dumps of\r\nsensitive information.\r\nAvaddon does not appear to have any particular preference or scruples when it comes to targets. Whereas some\r\nransomware groups have backed off certain types of targets during the ongoing pandemic, Avaddon victims to\r\ndate include healthcare-related entities. That said, the most represented industries in their victimology are\r\nInformation Technology \u0026 Services, Food Production, Legal Services, and Manufacturing.\r\nConclusion\r\nAvaddon is another successful example of the current RaaS model. lt has appeared on the scene and made an\r\nimpact very quickly. The actors are disciplined with regard to whom they will accept as an affiliate, which ensures\r\nsome degree of longevity and exclusivity. In addition, they very quickly adopted the more aggressive extortion\r\ntechniques tied to modern ransomware families. This not only includes the public leaking of data but also the\r\nthreat of DDoS attacks, personal threats, and advertisement-based taunting.\r\nAll of these, along with tight payment requirements for the victims, have put Avaddon in a potentially powerful\r\nposition. They have yet to garner quite the same amount of media attention as predecessors such as Maze and\r\nEgregor, but there is no reason to believe that Avaddon is any less dangerous. At this time, those behind Avaddon\r\nare highly-engaged with their community and actively developing and iterating in response to security research\r\nand detection. With Avaddon version 2 on the horizon, we only expect to see increased activity from this actor as\r\nwe move further into 2021.\r\nIndicators of Compromise\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 11 of 13\n\nSHA1:\r\nc41d5b04b8219df57249ecdba8faa97c3d4a7fc2\r\nc1f6f1e1a27e7be32a3f18440c05951fa7e52eb9\r\nc0fc01350ae774f3817d71710d9a6e9adaba441f\r\n4915feb5b5cccd9e75f0bd4af5e35211353a207e\r\nf540a1f2fdc0670e1a7a3d55e335e70ebe3089f7\r\n880e40932e56e0aa0b0ad8c413b50fca7d771bbe\r\n7e835d1813f2eaf82c5e38eebf3bfd06ed6513e0\r\na1d6461e833813ccfb77a6929de43ab5383dbb98\r\na37a3b88a15d31a8951243cd6f3f08149244a67d\r\n3b575420ceea4203152041be00dc80519d1532b5\r\ndd2cce7e2f5dcf0a00e4ec9cdbc028476ceb3583\r\n48385b39f2ad900377aba7442d93663506c2b9c5\r\n60ab0dd2ef31cfb96d52fa0a429c3803417db5c2\r\n5ddb793327e1e89ef8f406be11f97e5489f7a5c1\r\nd680d790167a7f84f7e531b2d16db0a0e3359f73\r\nf94fda611b71bd565c1d603864e21e9cfd3ca99e\r\n40e0fff64ba685d97fe143880a7b01c0137b4ceb\r\n9087d7b5f8b62a2afa4f229b7e254971d4d9b5c3\r\n6a6956aff077aeda5b22873cfb891632fbce6bc7\r\n35831310fa4f11909c44b5db64c44b1064ac1d35\r\nSHA256:\r\n28adb5fa487a7d726b8bad629736641aadbdacca5e4f417acc791d0e853924a7\r\n0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184\r\n0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b\r\n146e554f0d56db9a88224cd6921744fdfe1f8ee4a9e3ac79711f9ab15f9d3c7f\r\n2946ef53c8fec94dcdf9d3a1afc077ee9a3869eacb0879cb082ee0ce3de6a2e7\r\n29b5a12cda22a30533e22620ae89c4a36c9235714f4bad2e3944c38acb3c5eee\r\n331177ca9c2bf0c6ac4acd5d2d40c77991bb5edb6e546913528b1665d8b501f3\r\n46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675\r\n5252cc9dd3a35f392cc50b298de47838298128f4a1924f9eb0756039ce1e4fa2\r\n61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496\r\n64cfe726643c7783b0f13a2927ab330e35e94a9125122b0cc230eec2bea27dd1\r\n6884d700284bc3158dbeb8745bcda3e3b17b69ad049528b125b36e2455bb6b27\r\n6a4875ddaceaa91fb3369f0f6d962f77442daf1b1d97733457d12bcabdf79441\r\n8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de\r\n98388773dc5da7f73a32a08613404029c7cd23078d697700aec6b573b2fa8e09\r\ncaf57646723fe7c34f89618d96af3c2b82816f5d995fd7b951f32571166d3768\r\ndab7eb2503e0d61d02e6156a47361da97afc53c1dee17c420a0a05de891172c3\r\nde48c7d7f4865099dba96b6e2c6dca54187fb64e07c319660f072b851ec8b3b3\r\nf9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637\r\nfa4bc4a1dd461ecaadd094a9a21668ecdbb60022fb1b088854a8d13c09155a5c\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 12 of 13\n\nMITRE ATT\u0026CK\r\nT1027 Obfuscated Files or Information\r\nT1497.001 Virtualization/Sandbox Evasion / System Checks\r\nT1202 Indirect Command Execution\r\nT1078 Valid Accounts\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nT1070.004 Indicator Removal on Host / File Deletion\r\nT1112 Modify Registry\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1120 Peripheral Device Discovery\r\nT1490 Inhibit System Recovery\r\nT1548.002 Abuse Elevation Control Mechanism / Bypass User Account Control\r\nT1566 Phishing\r\nT1498.001 Network Denial of Service / Direct Network Flood\r\nT1486 Data Encrypted for Impact\r\nT1543.003 Create or Modify System Process: Windows Service\r\nSource: https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nhttps://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/"
	],
	"report_names": [
		"avaddon-raas-breaks-public-decryptor-continues-on-rampage"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e74a74de0a5c87fd3f5bfd6a91bd4bd9a6f028e5.pdf",
		"text": "https://archive.orkl.eu/e74a74de0a5c87fd3f5bfd6a91bd4bd9a6f028e5.txt",
		"img": "https://archive.orkl.eu/e74a74de0a5c87fd3f5bfd6a91bd4bd9a6f028e5.jpg"
	}
}