Evolution and rise of the Avaddon Ransomware-as-a-Service

The Avaddon ransomware operators updated their malware after security researchers released a public decryptor in February 2021.

The Avaddon ransomware family first appeared in the threat landscape in February 2020, and its authors started offering it with a Ransomware-as-a-Service (RaaS) model in June, 2020. In August 2020, cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators announced on a Russian-speaking hacker forum their new data leak site.

In February, the Spanish student Javier Yuste released a free decryption tool for the Avaddon ransomware that can be used by the victims to recover their encrypted files for free.

The Avaddon ransomware quickly reacted to the availability of the decryptor and released an update for the code of their malware that made the tool inefficient.

Source ZDNet

Multiple security experts pointed out that the decision to publicly release decryption tools is not a good option when the decryptor exploit some flaws in the malware code, because it could help ransomware operators to fix the issues.

Since then, researchers from SentinelOne observed a spike in the activity of the Avaddon operators that started offering a “Version 2” of their RaaS.

SentinelOne’s threat intelligence expert JIM WALTER explained that Avaddon operators offered to their partners an initial 25% cut on the ransom, a percentage that could for higher volume affiliates. The reputation of the gang rapidly grew in the following months, the group became one of the more aggressive ransomware operators.

The first version of Avaddon was advertised with the following features:

Unique payloads written in C++

File encryption via AES256 + RSA2048, supporting full-file encryption & custom parameters

Full offline support, initial contact to C2 not required

“Impossible” 3rd party decryption

Support for Windows 7 and higher

Multi-threaded file encryption for max performance

Encryption of all local and remote (and accessible) drives

IOCP Support for parallel file encryption

Persistently encrypts newly written files and newly connected media

Ability to spread across network shares (SMB, DFS)

Multiple delivery options (script, PowerShell, .EXE payload, .DLL)

Payload executes as administrator

Encrypts hidden files and volumes

Removes trash, Volume Shadow Copies (VSS), and other restore points

Termination of processes which inhibit encryption of files

Configurable ransom note behavior

“Initially, affiliates were able to build and manage their payload via an elegant administration panel hosted via TOR (.onion). The panel allowed for management of specific campaigns, payment types and behaviors, victim tracking and management. It also served as the portal to Avaddon’s technical support resources.” wrote Walter.

Over the months Avaddon ransomware operators continued to promote their services in cybercrime forums to recruit more people to the network of its affiliates. At the same time, operators continued to upgrade their code to avoid detection of security solutions.

In August 2020, the group launched the 24×7 support for affiliates, the gang set up a chat and ticketing systems.

In 2021, Avaddon ransomware operators added support for Windows XP and 2003 for their malware and also started adding DDoS attacks as an extortion mechanism to force victims into paying the ransom.

SentinelOne experts also reported that the group faced difficulties due to the release of the decryptor in February and noticed that Babuk ransomware operators offering technical assistance to the Avaddon actors.

Avaddon quickly reacted becoming stringer than before the release of the decryptor.

“Those behind Avaddon were quick to pivot and move to a different model altogether, nullifying the effect of the decryptor. They also offered affiliates an 80% cut for a full month as compensation.” added Walter.

Avaddon gang fixed the issue in its malware and started accepting payment in Monero, recently public statements published by the group confirm the development of version 2 of the ransomware.

“At this time, those behind Avaddon are highly-engaged with their community and actively developing and iterating in response to security research and detection. With Avaddon version 2 on the horizon, we only expect to see increased activity from this actor as we move further into 2021.” concludes the report.

Technical details about the ransomware, including Indicators of Compromise (IoCs), are reported in the post published by SentinelOne.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s