Emerging in June 2020, the Avaddon ransomware operation rapidly established itself as a significant threat within the cybercrime ecosystem through a highly organized Ransomware-as-a-Service (RaaS) model. The campaign was characterized by its use of double extortion tactics, where victims faced not only the encryption of critical data but also the threat of having sensitive information published on a dedicated leak site if ransom demands were not met. The development and overall management of this RaaS enterprise are attributed to the threat actor tracked as Riddle Spider [1]. The operation follows a typical affiliate model where profits are split between the operators and affiliates, often starting at a 35/65 split.
In this blog, we will analyze the technical characteristics of the Avaddon ransomware associated with the Riddle Spider group.
Avaddon is a Ransomware-as-a-Service (RaaS) operation that was active between June 2020 and June 2021. The malware, written in C++, targets Windows systems and encrypts files locally and on mapped network shares. The ransomware is noted for its extensive anti-analysis and anti-recovery mechanisms, including the deletion of shadow copies and the termination of security-related processes. Analysis indicates that Avaddon shares significant code similarities and TTPs with other ransomware families such as MedusaLocker, Ako, and ThunderX [2].
The distribution of Avaddon relies on a network of affiliates who employ various tactics to gain a foothold in victim environments. Observed methods include the use of compromised credentials, often leveraged via Remote Desktop Protocol (RDP) for lateral movement. To maintain access and interact with compromised servers, custom malware such as BLACKCROW and DARKRAVEN web shells are utilized. Additionally, the SystemBC remote administration tool is frequently deployed to interact with compromised hosts.
Post-exploitation activities involve the use of open-source frameworks like Empire and PowerSploit. Data staging and exfiltration are facilitated by tools such as 7Zip and MEGAsync [2].
Upon execution, the malware initializes its configuration, which is embedded within the binary as global std::string variables. These strings are encoded using Base64 and subjected to multiple iterations of arithmetic operations with a hardcoded single-byte key.
The following Python script demonstrates the logic used to decode the configuration strings found in the malware samples [2]:
|
from base64 import b64decode |
Avaddon employs several mechanisms to evade detection and ensure successful encryption. A geographical check is performed to verify the victim's location. The system's Language Code Identifier (LCID) and keyboard layout are retrieved, and execution is terminated if any of the following languages are detected:
This behavior aligns with policies often seen in Russian-speaking cybercriminal forums prohibiting attacks within the Commonwealth of Independent States (CIS) [2].
To prevent interference during the encryption process, a specific list of services is targeted. These services are stopped and subsequently deleted. The targeted services include [2]:
|
ccEvtMgr, ccSetMgr, Culserver, dbeng8, dbsrv12, DefWatch, Intuit.QuickBooks.FCS, msmdsrv, QBCFMonitorService, QBIDPService, RTVscan, SavRoam, sqladhlp, SQLADHLP, sqlagent, sqlbrowser, sqlservr, sqlwriter, tomcat6, VMAuthdService, VMnetDHCP, VMUSBArbService, vmware-usbarbitator64, VMwareHostd |
In addition to services, specific processes are terminated [2]:
|
360doctor.exe, 360se.exe, axlbridge.exe, Culture.exe, Defwatch.exe, fdhost.exe, fdlauncher.exe, GDscan.exe, httpd.exe, MsDtSrvr.exe, QBCFMonitorService, QBDBMgr.exe, QBIDPService.exe, qbupdate.exe, QBW32.exe, RAgui.exe, RTVscan.exe, sqlbrowser.exe, sqlmangr.exe, sqlservr.exe, supervise.exe, winword.exe, wxServer.exe, wxServerView.exe, tomcat6.exe, java.exe, wdswfsafe.exe |
To ensure that victims cannot easily restore their data without paying the ransom, Windows shadow volumes are deleted, and the recycle bin is emptied. The Windows Restart Manager is leveraged to prevent the system from restarting by adding files currently being encrypted to the Restart Manager registry.
The following commands are executed to disable recovery options [2]:
|
wmic.exe SHADOWCOPY /nointeractive |
Files are encrypted using the AES-256 algorithm. In earlier versions, a single session key was generated, but later iterations evolved to use unique keys per file to prevent simple decryption tools from working.
To maintain system stability and ensure the operating system remains functional (allowing the user to pay the ransom), specific directories and file extensions are excluded from encryption.
Excluded Directories [2]:
|
C:\Windows |
Excluded File Extensions [2]:
|
.bin, .sys, .ini, .dll, .lnk, .dat, .exe, .drv, .rdp, .prf, .swp, .mdf, .mds, .sql |
A host reconnaissance is conducted and included as part of the ransom note. This data is comprised of a plaintext victim ID and a JSON structure encrypted with an RSA key. The two parts are separated by a hyphen and Base64 encoded.
The JSON structure contains the following fields:
An example of the gathered JSON data is shown below [2]:
|
{ |
We also strongly suggest simulating Riddle Spider Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Riddle Spider:
|
Threat ID |
Threat Name |
Attack Module |
|
45668 |
Riddle Spider Threat Group Campaign |
Windows Endpoint |
|
95933 |
Avaddon Ransomware Download Threat |
Network Infiltration |
|
94255 |
Avaddon Ransomware Email Threat |
E-mail Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack,” CrowdStrike.com. Accessed: Nov. 27, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
[2] “One Source to Rule Them All: Chasing AVADDON Ransomware,” Google Cloud Blog. Accessed: Nov. 27, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/chasing-avaddon-ransomware/