S0640: Avaddon
Analyst context for executives and security teams
Avaddon is a Windows ransomware family described by ATT&CK as C++ ransomware offered as ransomware-as-a-service since at least June 2020. The useful defensive lesson is not just “ransomware exists,” but that the mapped behaviors span discovery, execution, persistence, privilege escalation, defense impairment, recovery inhibition, service stopping, and data encryption. For leaders, this makes Avaddon a good coverage test for whether the organization can detect and contain ransomware activity before business-critical files, services, and recovery options are affected.
Executive priority
Prioritize Avaddon as a ransomware readiness scenario for Windows estates. It connects directly to operational resilience: can the business see discovery of systems and shares, unauthorized execution paths such as WMI or scripting, registry-based persistence or modification, attempts to impair tools, service stoppage, recovery inhibition, and eventual file encryption? Executives should ask for evidence that backups and recovery controls are protected, endpoint and Windows telemetry are retained, and incident responders have playbooks for rapid isolation and service restoration.
Technical view
SOC and IR teams should validate detections across the mapped ATT&CK relationships: System Network Configuration Discovery, Process Discovery, File and Directory Discovery, Network Share Discovery, WMI execution, JavaScript execution, Native API activity, Registry modification, Run Key or Startup Folder persistence, UAC bypass indicators, system language checks, obfuscation/deobfuscation behaviors, disabling or modifying tools, service stops, recovery inhibition, and data encryption for impact. Because ATT&CK provides no official detection text for Avaddon, coverage should be tested behaviorally rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity logs and remote/local management execution evidence
- Windows Registry auditing for Run Keys, Startup Folder references, and suspicious modification
- File system telemetry for large-scale file enumeration, modification, and encryption-like activity
- Network share and SMB access telemetry
Detection direction
- Build behavior-based correlation around discovery followed by execution, registry changes, service disruption, recovery inhibition, and file encryption activity on Windows hosts.
- Treat WMI and scripting alerts carefully: both are legitimate administration mechanisms, so tune around unusual parent processes, destinations, user context, timing, and sequence with discovery or impact behaviors.
- Validate visibility into registry persistence and registry modification; many ransomware investigations fail when endpoint telemetry does not preserve before-and-after registry state.
- Confirm that security-tool tamper or service-stop events create high-priority alerts, especially when followed by file share enumeration or bulk file changes.
- Test whether network share discovery and file/directory enumeration are visible from endpoints and from network or file server logs, since ransomware impact often extends beyond the initially infected host.
Mitigation priorities
- Harden and monitor Windows administrative surfaces such as WMI, scripting hosts, service control, and registry modification according to least-privilege principles.
- Protect recovery paths first: maintain resilient backups, restrict access to backup administration, and monitor for changes to recovery mechanisms or shadow-copy-related controls.
- Limit ransomware blast radius through segmentation, least-privilege access to network shares, and review of excessive write permissions.
- Ensure endpoint security tooling is tamper-resistant and that tool health events are monitored by the SOC.
- Prepare IR playbooks for rapid host isolation, credential containment, service restoration, and evidence preservation when encryption, service stop, or recovery inhibition is observed.
Analyst notes and limits
ATT&CK identifies Avaddon as Windows ransomware and maps it to multiple techniques that are highly relevant to ransomware operations, including discovery, execution, persistence, privilege escalation, defense impairment, recovery inhibition, service stopping, and encryption for impact. The object does not provide official detection guidance, so the most defensible approach is to validate telemetry and detections against the related behaviors. External references include an in-depth Avaddon analysis and a threat-hunting article, but this take only uses the supplied ATT&CK fields and relationship context.
No official ATT&CK detection text, aliases, labels, or object-level tactics were supplied. Relationship descriptions are technique-level context and should not be interpreted as proof that every described platform or variant behavior applies to every Avaddon incident. Local validation is required to confirm telemetry availability, control effectiveness, false-positive rates, and recovery readiness.
Avaddon
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Avaddon has decrypted encrypted strings.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1489 | Service Stop | Avaddon looks for and attempts to stop database processes.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Avaddon has been executed through a malicious JScript downloader.CitationHornet Security Avaddon June 2020CitationAwake Security Avaddon |
| Enterprise | T1083 | File and Directory Discovery | Avaddon has searched for specific files prior to encryption.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1685 | Disable or Modify Tools | Avaddon looks for and attempts to stop anti-malware solutions.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1106 | Native API | Avaddon has used the Windows Crypto API to generate an AES key.CitationHornet Security Avaddon June 2020 |
| Enterprise | T1057 | Process Discovery | Avaddon has collected information about running processes.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1490 | Inhibit System Recovery | Avaddon deletes backups and shadow copies using native system tools.CitationHornet Security Avaddon June 2020CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Avaddon bypasses UAC using the CMSTPLUA COM interface.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1135 | Network Share Discovery | Avaddon has enumerated shared folders and mapped volumes.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Avaddon uses wmic.exe to delete shadow copies.CitationHornet Security Avaddon June 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1112 | Modify Registry | Avaddon modifies several registry keys for persistence and UAC bypass.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Avaddon has used encrypted strings.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Avaddon uses registry run keys for persistence.CitationArxiv Avaddon Feb 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Avaddon can collect the external IP address of the victim.CitationAwake Security Avaddon |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b22f1e017889… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Awake Security Avaddon
Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.
Open source URL -
[2]
Arxiv Avaddon Feb 2021
Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
Open source URL -
[3]
mitre-attack S0640Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.