Picus Labs | 7 MIN READ

CREATED ON December 03, 2025

Riddle Spider Avaddon Ransomware Analysis and Technical Overview

Emerging in June 2020, the Avaddon ransomware operation rapidly established itself as a significant threat within the cybercrime ecosystem through a highly organized Ransomware-as-a-Service (RaaS) model. The campaign was characterized by its use of double extortion tactics, where victims faced not only the encryption of critical data but also the threat of having sensitive information published on a dedicated leak site if ransom demands were not met. The development and overall management of this RaaS enterprise are attributed to the threat actor tracked as Riddle Spider [1]. The operation follows a typical affiliate model where profits are split between the operators and affiliates, often starting at a 35/65 split.

In this blog, we will analyze the technical characteristics of the Avaddon ransomware associated with the Riddle Spider group.

What are the Technical Characteristics of the Avaddon ransomware?

Avaddon is a Ransomware-as-a-Service (RaaS) operation that was active between June 2020 and June 2021. The malware, written in C++, targets Windows systems and encrypts files locally and on mapped network shares. The ransomware is noted for its extensive anti-analysis and anti-recovery mechanisms, including the deletion of shadow copies and the termination of security-related processes. Analysis indicates that Avaddon shares significant code similarities and TTPs with other ransomware families such as MedusaLocker, Ako, and ThunderX [2].

Distribution and Initial Access

The distribution of Avaddon relies on a network of affiliates who employ various tactics to gain a foothold in victim environments. Observed methods include the use of compromised credentials, often leveraged via Remote Desktop Protocol (RDP) for lateral movement. To maintain access and interact with compromised servers, custom malware such as BLACKCROW and DARKRAVEN web shells are utilized. Additionally, the SystemBC remote administration tool is frequently deployed to interact with compromised hosts.

Post-exploitation activities involve the use of open-source frameworks like Empire and PowerSploit. Data staging and exfiltration are facilitated by tools such as 7Zip and MEGAsync [2].

Execution and Configuration

Upon execution, the malware initializes its configuration, which is embedded within the binary as global std::string variables. These strings are encoded using Base64 and subjected to multiple iterations of arithmetic operations with a hardcoded single-byte key.

The following Python script demonstrates the logic used to decode the configuration strings found in the malware samples [2]:

from base64 import b64decode

def decode_string(b64_string):
return ''.join([chr(((x-5)^0xb3)&0xff) for x in b64decode(b64_string)])

Defense Evasion and Persistence

Avaddon employs several mechanisms to evade detection and ensure successful encryption. A geographical check is performed to verify the victim's location. The system's Language Code Identifier (LCID) and keyboard layout are retrieved, and execution is terminated if any of the following languages are detected:

Russian
Ukrainian
Tatar
Sakha

This behavior aligns with policies often seen in Russian-speaking cybercriminal forums prohibiting attacks within the Commonwealth of Independent States (CIS) [2].

To prevent interference during the encryption process, a specific list of services is targeted. These services are stopped and subsequently deleted. The targeted services include [2]:

ccEvtMgr, ccSetMgr, Culserver, dbeng8, dbsrv12, DefWatch, Intuit.QuickBooks.FCS, msmdsrv, QBCFMonitorService, QBIDPService, RTVscan, SavRoam, sqladhlp, SQLADHLP, sqlagent, sqlbrowser, sqlservr, sqlwriter, tomcat6, VMAuthdService, VMnetDHCP, VMUSBArbService, vmware-usbarbitator64, VMwareHostd

In addition to services, specific processes are terminated [2]:

360doctor.exe, 360se.exe, axlbridge.exe, Culture.exe, Defwatch.exe, fdhost.exe, fdlauncher.exe, GDscan.exe, httpd.exe, MsDtSrvr.exe, QBCFMonitorService, QBDBMgr.exe, QBIDPService.exe, qbupdate.exe, QBW32.exe, RAgui.exe, RTVscan.exe, sqlbrowser.exe, sqlmangr.exe, sqlservr.exe, supervise.exe, winword.exe, wxServer.exe, wxServerView.exe, tomcat6.exe, java.exe, wdswfsafe.exe

Anti-Recovery Operations

To ensure that victims cannot easily restore their data without paying the ransom, Windows shadow volumes are deleted, and the recycle bin is emptied. The Windows Restart Manager is leveraged to prevent the system from restarting by adding files currently being encrypted to the Restart Manager registry.

The following commands are executed to disable recovery options [2]:

wmic.exe SHADOWCOPY /nointeractive
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -d
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
vssadmin.exe Delete Shadows /All /Quiet

Encryption Routine

Files are encrypted using the AES-256 algorithm. In earlier versions, a single session key was generated, but later iterations evolved to use unique keys per file to prevent simple decryption tools from working.

To maintain system stability and ensure the operating system remains functional (allowing the user to pay the ransom), specific directories and file extensions are excluded from encryption.

Excluded Directories [2]:

C:\Windows
C:\Program Files
C:\Users\All Users
C:\Users\Public
C:\Users\user\AppData\Local\Temp
C:\Program Files (x86)
C:\Users\user\AppData
C:\ProgramData
C:\Program Files\Microsoft\Exchange Server
C:\Program Files (x86)\Microsoft\Exchange Server
C:\Program Files\Microsoft SQL Server
C:\Program Files (x86)\Microsoft SQL Server

Excluded File Extensions [2]:

.bin, .sys, .ini, .dll, .lnk, .dat, .exe, .drv, .rdp, .prf, .swp, .mdf, .mds, .sql

Host Reconnaissance and Ransom Note

A host reconnaissance is conducted and included as part of the ransom note. This data is comprised of a plaintext victim ID and a JSON structure encrypted with an RSA key. The two parts are separated by a hyphen and Base64 encoded.

The JSON structure contains the following fields:

ext: Encrypted file extension
rcid: AES key and file extension encrypted with RSA key (hex format)
hdd: Detected drives (Name, Size, Type)
lang: Default locale language
name: Hostname

An example of the gathered JSON data is shown below [2]:

{
"ext": ".eDDDbCADB",
"rcid": "796249FF39A076F96C3261D0913FEEF832759C1D2CA83DA9AF38D582B8C3E638E71F<truncated>",
"hdd": [
{
"name": "C",
"size": 118,
"type": "local"
},
{
"name": "D",
"size": 0,
"type": "local"
}
],
"lang": "English",
"name": "DESKTOP-AA1OUBT"
}

How Picus Simulates Riddle Spider Attacks?

We also strongly suggest simulating Riddle Spider Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Riddle Spider:

Threat ID	Threat Name	Attack Module
45668	Riddle Spider Threat Group Campaign	Windows Endpoint
95933	Avaddon Ransomware Download Threat	Network Infiltration
94255	Avaddon Ransomware Email Threat	E-mail Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

Riddle Spider’s Avaddon Ransomware is a C++ Ransomware-as-a-Service operation active from June 2020 to June 2021 using double extortion and an affiliate profit-share model.
Initial access relies on compromised credentials, RDP, custom web shells, SystemBC, and post-exploitation frameworks for lateral movement and data exfiltration.
Configuration data is stored as Base64-encoded strings in the binary and decoded through additional arithmetic operations.
Defense evasion includes geographic checks, service stoppage, process termination, and removal of shadow copies and recovery options.
The encryption routine uses AES-256, evolves from a single session key to per-file keys, and excludes specific directories and file types for system stability.
Host reconnaissance data is embedded into the ransom note, including encrypted victim identifiers, drive information, locale, and hostname.

References

[1] “Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack,” CrowdStrike.com. Accessed: Nov. 27, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

[2] “One Source to Rule Them All: Chasing AVADDON Ransomware,” Google Cloud Blog. Accessed: Nov. 27, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/chasing-avaddon-ransomware/

Frequently Asked Questions (FAQs)

Here are the most asked questions about Avaddon Ransomware.

What is Avaddon ransomware?

Avaddon is a Ransomware-as-a-Service operation active between June 2020 and June 2021. It targets Windows systems, encrypts local and networked files, and uses double extortion tactics by threatening to publish stolen data if ransom demands are not met.

Who operates Avaddon ransomware?

The ransomware operation is attributed to the threat actor tracked as Riddle Spider. The campaign uses an affiliate model with profit sharing between operators and affiliates, typically starting at a 35/65 split.

How does Avaddon gain access to systems?

Avaddon relies on affiliates who use compromised credentials, often via Remote Desktop Protocol, and deploy web shells like BLACKCROW and DARKRAVEN. SystemBC and open-source frameworks such as Empire and PowerSploit assist with post-exploitation and lateral movement.

What mechanisms does Avaddon use for defense evasion?

Avaddon checks system geography and language codes, terminating execution if Russian, Ukrainian, Tatar, or Sakha are detected. The ransomware stops and deletes targeted services and processes to prevent interference during encryption.

How does Avaddon prevent the recovery of encrypted files?

Windows shadow volumes are deleted, the recycle bin is emptied, and Restart Manager is leveraged to block system restarts. Commands disable system recovery and prevent data restoration without paying ransom.

How does Avaddon perform file encryption?

Files are encrypted using AES-256. Early versions used a single session key, while later iterations generate unique keys per file. Specific directories and file extensions are excluded to maintain system stability and allow ransom payment.