Avaddon
Avaddon is a ransomware family/RaaS operation first observed in June 2020. The content describes it as initially distributed through large-scale spam campaigns, including four campaigns identified by Proofpoint in 2020 that accounted for about one million messages and 95% of first-stage ransomware email payloads observed in that period. Later reporting cited in the content states Avaddon operators increasingly obtained initial access through remote access portals such as RDP and VPN rather than direct email. Avaddon has also been executed through a malicious JScript downloader.
Behaviorally, Avaddon performs language and keyboard-layout checks to avoid targeting Commonwealth of Independent States (CIS) entities. It attempts to stop anti-malware solutions and has been associated with broader defense-impairment tradecraft, including abuse of legitimate rootkit-removal tooling. It deletes backups and shadow copies using native Windows tools, specifically including wmic.exe for shadow copy deletion. Technical reporting in the content states Avaddon stores host and encryption metadata in an in-memory JSON blob, and that early versions used a single AES-256 key per execution while later versions shifted to a unique AES key per file with per-file session keys stored in encrypted file footers using RSA. Earlier builds reportedly included a CMSTPLUA COM-interface UAC bypass that was later removed, and later versions added a "-safe" option to reboot victims into Safe Mode before encryption. Samples from April 2021 reportedly added IOCompletionPort-based multithreading.
The content further notes similarities between Avaddon and MEDUSALOCKER, Ako, ThunderX, and RANZY, including shared implementation characteristics and overlapping ransomware ecosystem features, though direct lineage remains unclear. Avaddon is described as having operated for about a year, gaining popularity across multiple regions and industries, and later shutting down while releasing victims’ private keys. It used a leak site referred to as "Avaddon Info," and the content places it among groups that used double- or triple-extortion tactics. Additional reporting cited in the content says Avaddon used First VPN Service infrastructure for network reconnaissance and intrusions, and one infrastructure analysis linked several IPs to prior Avaddon-associated activity in February 2023. The content also notes reporting that NoEscape was alleged to be a rebrand of Avaddon, but that claim is presented as reported attribution rather than established fact.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Persistence
3 techniques
Persistence
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
the ransomware operators obtained initial access via remote access portals such as RDP and VPN, a pivot away from direct email access.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
2 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Defense Impairment
1 technique
Defense Impairment
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.
Impact
2 techniques
Impact
Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities... killing security software processes or services, modifying / deleting Registry keys or configuration files... Adversaries may also disable updates...
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family explicitly identified as one of the groups using First VPN infrastructure for reconnaissance and intrusions.
Avaddon is a C++ ransomware that operated as a Ransomware-as-a-Service (RaaS) from June 2020 to June 2021. It targets Windows systems, encrypts files locally and on network shares, and uses double extortion by threatening to leak stolen data. It employs anti-analysis, anti-recovery, and defense evasion techniques, including geographic checks, service and process termination, and deletion of shadow copies. Initial access is typically gained via compromised credentials, RDP, and custom web shells, with post-exploitation using tools like SystemBC, Empire, and PowerSploit.
Ransomware that deletes backups and shadow copies using native system tools to prevent restoration.
Avaddon is a ransomware variant mentioned as being tied to the sanctioned LockBit member Ivan Gennadievich Kondratiev.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.