Evolution and rise of the Avaddon Ransomware-as-a-Service

The Avaddon ransomware operators updated their malware after security researchers released a public decryptor in February 2021.

The Avaddon ransomware family first appeared in the threat landscape in February 2020, and its authors started offering it with a Ransomware-as-a-Service (RaaS) model in June, 2020. In August 2020, cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators announced on a Russian-speaking hacker forum their new data leak site.

In February, the Spanish student Javier Yuste released a free decryption tool for the Avaddon ransomware that can be used by the victims to recover their encrypted files for free.

The Avaddon ransomware quickly reacted to the availability of the decryptor and released an update for the code of their malware that made the tool inefficient.

Multiple security experts pointed out that the decision to publicly release decryption tools is not a good option when the decryptor exploit some flaws in the malware code, because it could help ransomware operators to fix the issues.

Since then, researchers from SentinelOne observed a spike in the activity of the Avaddon operators that started offering a “Version 2” of their RaaS.

SentinelOne’s threat intelligence expert JIM WALTER explained that Avaddon operators offered to their partners an initial 25% cut on the ransom, a percentage that could for higher volume affiliates. The reputation of the gang rapidly grew in the following months, the group became one of the more aggressive ransomware operators.

The first version of Avaddon was advertised with the following features:

• Unique payloads written in C++
• File encryption via AES256 + RSA2048, supporting full-file encryption & custom parameters
• Full offline support, initial contact to C2 not required
• “Impossible” 3rd party decryption
• Support for Windows 7 and higher
• Multi-threaded file encryption for max performance
• Encryption of all local and remote (and accessible) drives
• IOCP Support for parallel file encryption
• Persistently encrypts newly written files and newly connected media
• Ability to spread across network shares (SMB, DFS)
• Multiple delivery options (script, PowerShell, .EXE payload, .DLL)
• Payload executes as administrator
• Encrypts hidden files and volumes
• Removes trash, Volume Shadow Copies (VSS), and other restore points
• Termination of processes which inhibit encryption of files
• Configurable ransom note behavior

“Initially, affiliates were able to build and manage their payload via an elegant administration panel hosted via TOR (.onion). The panel allowed for management of specific campaigns, payment types and behaviors, victim tracking and management. It also served as the portal to Avaddon’s technical support resources.” wrote Walter.

Over the months Avaddon ransomware operators continued to promote their services in cybercrime forums to recruit more people to the network of its affiliates. At the same time, operators continued to upgrade their code to avoid detection of security solutions.

In August 2020, the group launched the 24×7 support for affiliates, the gang set up a chat and ticketing systems.

In 2021, Avaddon ransomware operators added support for Windows XP and 2003 for their malware and also started adding DDoS attacks as an extortion mechanism to force victims into paying the ransom.

SentinelOne experts also reported that the group faced difficulties due to the release of the decryptor in February and noticed that Babuk ransomware operators offering technical assistance to the Avaddon actors.

Avaddon quickly reacted becoming stringer than before the release of the decryptor.

“Those behind Avaddon were quick to pivot and move to a different model altogether, nullifying the effect of the decryptor. They also offered affiliates an 80% cut for a full month as compensation.” added Walter.

Avaddon gang fixed the issue in its malware and started accepting payment in Monero, recently public statements published by the group confirm the development of version 2 of the ransomware.

“At this time, those behind Avaddon are highly-engaged with their community and actively developing and iterating in response to security research and detection. With Avaddon version 2 on the horizon, we only expect to see increased activity from this actor as we move further into 2021.” concludes the report.

Technical details about the ransomware, including Indicators of Compromise (IoCs), are reported in the post published by SentinelOne.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]