Evolution and rise of the Avaddon Ransomware-as-a-Service

The Avaddon ransomware operators updated their malware after security researchers released a public decryptor in February 2021.

The Avaddon ransomware family first appeared in the threat landscape in February 2020, and its authors started offering it with a Ransomware-as-a-Service (RaaS) model in June, 2020. In August 2020, cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators announced on a Russian-speaking hacker forum their new data leak site.

In February, the Spanish student Javier Yuste released a free decryption tool for the Avaddon ransomware that can be used by the victims to recover their encrypted files for free.

The Avaddon ransomware quickly reacted to the availability of the decryptor and released an update for the code of their malware that made the tool inefficient.

Source ZDNet

Multiple security experts pointed out that the decision to publicly release decryption tools is not a good option when the decryptor exploit some flaws in the malware code, because it could help ransomware operators to fix the issues.

Since then, researchers from SentinelOne observed a spike in the activity of the Avaddon operators that started offering a “Version 2” of their RaaS.

SentinelOne’s threat intelligence expert JIM WALTER explained that Avaddon operators offered to their partners an initial 25% cut on the ransom, a percentage that could for higher volume affiliates. The reputation of the gang rapidly grew in the following months, the group became one of the more aggressive ransomware operators.

The first version of Avaddon was advertised with the following features:

Unique payloads written in C++
File encryption via AES256 + RSA2048, supporting full-file encryption & custom parameters
Full offline support, initial contact to C2 not required
“Impossible” 3rd party decryption
Support for Windows 7 and higher
Multi-threaded file encryption for max performance
Encryption of all local and remote (and accessible) drives
IOCP Support for parallel file encryption
Persistently encrypts newly written files and newly connected media
Ability to spread across network shares (SMB, DFS)
Multiple delivery options (script, PowerShell, .EXE payload, .DLL)
Payload executes as administrator
Encrypts hidden files and volumes
Removes trash, Volume Shadow Copies (VSS), and other restore points
Termination of processes which inhibit encryption of files
Configurable ransom note behavior

“Initially, affiliates were able to build and manage their payload via an elegant administration panel hosted via TOR (.onion). The panel allowed for management of specific campaigns, payment types and behaviors, victim tracking and management. It also served as the portal to Avaddon’s technical support resources.” wrote Walter.

Over the months Avaddon ransomware operators continued to promote their services in cybercrime forums to recruit more people to the network of its affiliates. At the same time, operators continued to upgrade their code to avoid detection of security solutions.

In August 2020, the group launched the 24×7 support for affiliates, the gang set up a chat and ticketing systems.

In 2021, Avaddon ransomware operators added support for Windows XP and 2003 for their malware and also started adding DDoS attacks as an extortion mechanism to force victims into paying the ransom.

SentinelOne experts also reported that the group faced difficulties due to the release of the decryptor in February and noticed that Babuk ransomware operators offering technical assistance to the Avaddon actors.

Avaddon quickly reacted becoming stringer than before the release of the decryptor.

“Those behind Avaddon were quick to pivot and move to a different model altogether, nullifying the effect of the decryptor. They also offered affiliates an 80% cut for a full month as compensation.” added Walter.

Avaddon gang fixed the issue in its malware and started accepting payment in Monero, recently public statements published by the group confirm the development of version 2 of the ransomware.

“At this time, those behind Avaddon are highly-engaged with their community and actively developing and iterating in response to security research and detection. With Avaddon version 2 on the horizon, we only expect to see increased activity from this actor as we move further into 2021.” concludes the report.

Technical details about the ransomware, including Indicators of Compromise (IoCs), are reported in the post published by SentinelOne.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.