Threat Actor Profile

Avaddon Threat Actor Profile

Published: 11/21/2025
Written by: Monica Burgess

Avaddon was a Ransomware-as-a-Service (RaaS) operation that made a lot of noise between 2020 and 2021. This cybercrime group was known for its double-extortion tactics, not only encrypting victim data but also stealing it and threatening to leak it on their dark web site. They even threw in DDoS attacks to really pressure victims into paying up.

Threat Actor Profile

Avaddon Threat Actor Profile

Country of Origin

While the exact country of origin for Avaddon is not confirmed, their malware was designed to avoid systems located in the Commonwealth of Independent States (CIS). This strongly suggests the operators are likely Russian-speaking and based within that region.

Members

As a RaaS model, Avaddon had a core group of developers and an unknown number of "affiliates" who carried out the attacks. The group recruited these affiliates on Russian-speaking hacking forums, offering them a cut of the profits.

Leadership

The specific leaders or aliases behind the Avaddon RaaS operation remain unknown. They operated with a degree of anonymity typical of many ransomware groups.

Avaddon TTPs

Tactics

Avaddon’s primary goal was simple: make money. They accomplished this through a multi-pronged extortion strategy. Their main tactics included encrypting critical files to disrupt business operations, stealing sensitive data to use as leverage, and launching DDoS attacks against victims to increase pressure and force a ransom payment.

Techniques

To get inside a network, Avaddon affiliates used a few favorite tricks. They were big fans of phishing and malspam campaigns, often sending emails with malicious JavaScript attachments disguised as images. They also exploited exposed Remote Desktop Protocol (RDP) and vulnerable VPN services to gain initial access. Once inside, they used tools like Cobalt Strike and Mimikatz for lateral movement and credential theft.

Procedures

The group’s procedures were pretty standard for a RaaS operation. After gaining access, they’d spend days, sometimes weeks, snooping around the network to identify and exfiltrate valuable data. They used legitimate tools like wmic, vssadmin, and bcdedit to delete backups and shadow copies, making recovery a nightmare. Finally, they deployed the ransomware, often at night or over a weekend, to encrypt files across the network.

Notable Cyberattacks

The attack against AXA's subsidiaries in Thailand, Malaysia, Hong Kong, and the Philippines in May 2021 was a major headline-grabber for Avaddon. The timing was particularly bold, as it happened shortly after AXA announced it would stop writing cyber-insurance policies in France that reimbursed customers for ransomware extortion payments. The attackers claimed to have stolen 3 TB of sensitive data, including customer medical records, ID cards, and bank account information. This incident, along with a spike in activity following the Colonial Pipeline attack (by a different group), drew significant attention from the FBI and other international law enforcement agencies.

Law Enforcement & Arrests

Avaddon’s success was also its downfall. The increased pressure from law enforcement, particularly after the high-profile attacks of mid-2021, likely spooked the operators. In a surprising move in June 2021, the group abruptly shut down its operations. They didn't just disappear; they anonymously sent nearly 3,000 decryption keys to a security researcher, allowing many of their victims to recover their files for free. While no arrests have been publicly announced, this sudden exit is widely believed to be a direct result of intensified law enforcement focus on ransomware gangs.

How to Defend Against

Secure Remote Access: Don't just leave RDP and VPNs open to the internet. Put them behind a proper firewall, enforce strong password policies, and use multi-factor

Email Security: Train your team to spot phishing attempts. A good email filtering solution can block malicious attachments and links before they ever reach an inbox.

Backups Are Your Best Friend: Follow the 3-2-1 rule for backups (3 copies, on 2 different media, with 1 stored offline). If attackers can’t access your backups, you won't be forced to pay a ransom.

Endpoint Detection and Response (EDR): You need visibility into what’s happening on your endpoints. Huntress Managed EDR provides 24/7 monitoring by human threat hunters who can spot the signs of an intrusion—like the use of Cobalt Strike or suspicious PowerShell scripts—and stop attackers in their tracks before they can deploy ransomware. We watch for the sneaky stuff so you don't have to.

References

https://www.cybereason.com/blog/research/cybereason-vs.-avaddon-ransomware

https://attack.mitre.org/software/S0640/

https://cloud.google.com/blog/topics/threat-intelligence/chasing-avaddon-ransomware

https://cyberscoop.com/avaddon-ransomware-shut-down-disappeared/

Other RaaS Threat Actors

Akira

Akira, a ransomware group active since March 2023, operates as a Ransomware-as-a-Service (RaaS) platform targeting organizations globally across critical industries, including healthcare, manufacturing, and finance.

BlackCat

BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims.

Lockbit

Lockbit ransomware, first identified in 2019, is a highly sophisticated global cyber threat. Known for its ransomware-as-a-service (RaaS) model, it enables affiliates to execute devastating attacks across industries.

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free