Inactive ransomware operator
← All groupsAvaddon
146 victims indexed · first seen 5 years ago · last activity 5 years ago
146
Victims indexed
#57 of 348 tracked operators
7m
Active period
Feb 2021 → Sep 2021
10
Countries hit
top United States · 32
At a glance
- Status
- inactive
- First seen
- 5 years ago
- Last activity
- 5 years ago
- Onion sites
- 1 known endpoint
- Primary sector
- Energy · 4 hits
About
Avaddon is a financially motivated ransomware group that emerged in early 2021, conducting targeted attacks primarily against organizations in the United States, United Kingdom, Germany, Spain, and Australia. The group operated as a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to conduct attacks while the core operators maintained the ransomware infrastructure and negotiated with victims. Avaddon employed double extortion tactics, exfiltrating sensitive data before deploying their encryption payload and threatening to publish stolen information on their leak site if ransom demands were not met. The group typically gained initial access through phishing emails, exploited vulnerabilities in remote access services, and used legitimate administrative tools to move laterally within compromised networks. Over its operational period, Avaddon targeted critical infrastructure sectors including energy, government, finance, manufacturing, and transportation, successfully compromising at least 146 documented victims. The group's activities were significantly disrupted in June 2021 when the operators voluntarily shut down their operations and provided decryption keys for all victims to law enforcement, making Avaddon one of the few ransomware groups to cease operations without direct law enforcement takedown action.
References
42 linksExternal sources curated by the MISP threat-intel community.
- heimdalsecurity.com/blog/avaddon-ransomware/
- atos.net/en/lp/securitydive/avaddon-ransomware-analysis
- acronis.com/en-us/articles/avaddon-ransomware
- cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf
- arxiv.org/pdf/2102.04796.pdf
- awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/
- docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
- go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
- ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
- labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/
- medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
- medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
- news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
- public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
- symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
- therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/
- therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
- threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure
- twitter.com/Securityinbits/status/1271065316903120902
- twitter.com/dk_samper/status/1348560784285167617
Timeline
5 months2021-02-01T00:00:00+00:002021-09-01T00:00:00+00:00
Top countries
🇺🇸 United States
32
🇬🇧 United Kingdom
10
🇩🇪 Germany
4
🇪🇸 Spain
2
🇦🇺 Australia
2
🇵🇹 Portugal
2
🇨🇿 Czech Republic
2
🇵🇱 Poland
1
Top sectors
Energy
4
Government
3
Finance
3
Manufacturing
3
Transportation
2
Construction
2
Food & Agriculture
2
Government Facilities
2
MITRE ATT&CK
8 techniques · 7 tacticsTactics
Initial AccessExecutionDefense EvasionLateral MovementCollectionExfiltrationImpact
Recent victims
Loading…
Onion infrastructure
1 known- http://avaddongun7rngel.onion
Source
Updated 5 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.