Avaddon ransomware emerged in mid-2020 as a significant file-encryption threat operating through a ransomware-as-a-service (RaaS) model. This malware encrypts files on infected systems and demands payment in cryptocurrency for the decryption key. While the Avaddon operation officially shut down in June 2021 when its operators released the master decryption keys to law enforcement, infected systems and dormant variants may still surface, particularly on machines that were compromised during the active campaign period but remained offline or undetected.

Avaddon Ransomware — cybersecurity illustration
Photo by cottonbro studio on Pexels

The threat was known for its double-extortion tactics: first encrypting victim files, then threatening to publish stolen data on a dedicated leak site if the ransom wasn't paid. Victims included small businesses, healthcare facilities, and individual users across multiple countries. Understanding how this ransomware operates remains relevant because similar families continue to use Avaddon's proven techniques, and because you may encounter a lingering infection from the original campaign.

Think you're infected right now? Disconnect your computer from the network immediately—unplug the Ethernet cable or disable Wi-Fi. Do not restart yet. If you see ransom notes or files with strange extensions like .avdn or similar appended to your filenames, power down and call us at (770) 637-1435. Acting quickly can limit damage and preserve recovery options.

Threat Profile

Attribute Details
Threat Family Avaddon Ransomware
Classification Ransomware (File Encryption, Data Exfiltration)
Aliases Avaddon, Avdn Ransomware
Platform Windows (all modern versions including Windows 7, 8, 10, Server editions)
Active Period June 2020 – June 2021 (operation discontinued, decryption keys released)
Distribution Model Ransomware-as-a-Service (RaaS) with affiliate network
Primary Distribution Phishing emails with malicious attachments, exploit kits, Remote Desktop Protocol (RDP) compromise
Encryption Method AES-256 + RSA-2048 hybrid encryption (typical for family)
File Extension Varied by campaign; commonly appended random extensions or .avdn
Ransom Note Name Typically README.txt or [random]-readme.txt placed in encrypted directories
Data Exfiltration Yes—stolen files prior to encryption, threatened with publication
Network Behavior Command-and-control communication via Tor; data upload to attacker servers before encryption
Persistence Mechanisms Registry Run keys, scheduled tasks (varies by deployment method)
Removal Difficulty Moderate (the payload can be removed, but encrypted files require decryption keys)

How It Spreads

Avaddon's operators relied heavily on a multi-pronged distribution strategy leveraging both automated and manual attack methods. The RaaS model meant that various affiliate groups used different tactics, but certain vectors dominated. Email phishing remained the primary infection route during the campaign's peak, with messages disguised as business correspondence, shipping notifications, or financial documents. These emails contained JavaScript attachments, malicious Office documents with macros, or password-protected archives designed to evade email security filters.

Beyond phishing, Avaddon affiliates frequently exploited poorly secured Remote Desktop Protocol connections—a favorite entry point for ransomware operators. Organizations with RDP exposed to the internet and protected only by weak or default credentials became easy targets. Once inside via RDP, attackers moved laterally across the network, exfiltrated sensitive data, disabled security software, and deployed the ransomware payload across multiple systems simultaneously for maximum impact.

Common distribution vectors included:

  • Phishing emails with JavaScript (.js) files, Office documents with malicious macros, or embedded links to download sites
  • Compromised RDP servers through brute-force attacks or credential stuffing
  • Exploit kits targeting unpatched vulnerabilities in browsers and plugins
  • Malicious advertisements (malvertising) redirecting to exploit kit landing pages
  • Software cracks and pirated content bundled with the ransomware loader
  • Supply chain compromise through infected software updates or trojanized installers (less common but documented)
  • Secondary infections delivered by existing malware like Emotet or TrickBot (known for the family)

What It Does On Your Machine

Once executed, Avaddon performs reconnaissance to understand the infected environment. It checks for language settings and terminates if it detects systems configured for specific countries—a common tactic among ransomware operators to avoid law enforcement attention from certain jurisdictions. The malware then escalates privileges, often through UAC bypass techniques, and establishes persistence through registry modifications or scheduled tasks to survive system reboots during the attack process.

Before encryption begins, Avaddon exfiltrates selected files to attacker-controlled servers—the data that will later be used for extortion leverage. The ransomware scans network shares and attempts to spread to other accessible systems on the local network. It terminates processes and services associated with databases, email servers, backup software, and security tools to ensure files remain unlocked and encryption proceeds without interference. Volume Shadow Copies are deleted using Windows utilities to eliminate easy recovery options.

The encryption phase targets hundreds of file types—documents, databases, images, archives, and more—using a strong hybrid encryption scheme. Each file receives a unique encryption key, which is then encrypted with the attacker's public RSA key. After encryption completes, ransom notes appear in affected directories explaining the situation and providing instructions to contact the attackers through a Tor-based payment portal. The notes typically include a unique victim ID and threaten data publication if payment isn't made within a specified timeframe.

Typical Filesystem and Registry Artifacts (Family-Level Examples)
Executable Locations (varied by deployment): %TEMP%\[random_name].exe %APPDATA%\[random_directory]\payload.exe C:\ProgramData\[GUID]\svchost.exe Registry Persistence (when applicable): HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[RandomKey] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[RandomKey] Ransom Notes: [Multiple directories]\README.txt [Desktop]\[victim_id]-readme.txt Shadow Copy Deletion Commands (executed): vssadmin.exe delete shadows /all /quiet wmic.exe shadowcopy delete bcdedit.exe /set {default} recoveryenabled no Note: Specific paths and names vary significantly across Avaddon samples and campaigns.

Manual Removal — Step by Step

01

Isolate the Infected System

Immediately disconnect from all networks—unplug the Ethernet cable and disable Wi-Fi. If you're on a business network, notify your IT department right away. Do not reconnect until the infection is fully remediated. Ransomware actively seeks network shares and other computers to spread to, so isolation is critical.

02

Document the Infection

Before making changes, photograph or note the ransom message content, including any victim ID numbers and contact information provided by the attackers. Take screenshots of affected file extensions. This documentation helps with recovery and potential law enforcement reporting. Do not pay the ransom—contact professionals first.

03

Boot into Safe Mode with Networking

Restart the computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot to access the Advanced Boot Options menu. Select "Safe Mode with Networking." This loads Windows with minimal drivers and services, preventing most malware from executing while still allowing you to download removal tools. On Windows 10/11, you may need to boot from installation media and access the recovery environment to reach Safe Mode.

04

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes—unfamiliar names, processes running from Temp folders, or executables with random character names. Right-click any suspicious process and select "Open File Location." If it points to %TEMP%, %APPDATA%, or other unusual locations, note the full path. Terminate the process, but be aware that sophisticated ransomware may restart itself until you remove persistence mechanisms.

05

Remove Persistence Mechanisms

Press Windows+R and type msconfig, then check the Startup tab for suspicious entries (on Windows 10/11, this opens Task Manager's Startup section). Disable anything unfamiliar. Next, open Registry Editor (regedit) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and the equivalent HKEY_LOCAL_MACHINE path. Delete any entries pointing to suspicious executables you identified earlier. Also check Task Scheduler (taskschd.msc) for malicious scheduled tasks and delete them.

06

Delete the Malware Files

Using File Explorer, navigate to the locations you identified in Step 4. Delete the entire folders containing the malware executables. Common locations include subfolders within %TEMP%, %LOCALAPPDATA%, %APPDATA%, and C:\ProgramData\. Enable "Show hidden files and folders" in File Explorer options to see all directories. Empty the Recycle Bin when finished.

07

Run Reputable Anti-Malware Software

Download and install Malwarebytes Free (while still in Safe Mode with Networking) and run a full system scan. Also run a scan with Windows Defender or another reputable antivirus. These tools often detect remnants, rootkit components, or additional malware that manual removal might miss. Quarantine or delete all detected threats. For Avaddon specifically, master decryption keys were released in 2021, so search for "Avaddon decryptor" from legitimate sources like Emsisoft or No More Ransom Project if you have encrypted files.

08

Restore Windows Protections

Avaddon disables recovery features to prevent restoration. Open an administrative Command Prompt and run bcdedit /set {default} recoveryenabled yes to re-enable the Windows Recovery Environment. If you have clean backups that predate the infection, this is the time to plan restoration. Do not restore from backups until you're certain the infection is completely removed, or you'll reintroduce the malware.

09

Change All Passwords

Ransomware often steals credentials and may have exfiltrated saved passwords. From a known-clean device (not the infected computer), change passwords for all important accounts—email, banking, social media, and especially any administrative or business accounts. Enable two-factor authentication wherever possible. Assume any credentials stored on the infected system have been compromised.

10

Reboot and Verify Cleanup

Restart the computer normally (not in Safe Mode) and monitor for suspicious behavior. Check Task Manager for unusual processes, verify that previously suspicious registry keys haven't reappeared, and confirm your security software is running properly. Run one more full scan with your antivirus. If everything appears clean and stable for 24-48 hours, you can cautiously begin normal operations—but remain vigilant for any unusual behavior.

Prevention

  1. Maintain comprehensive backups on offline or cloud storage that ransomware cannot access. Follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite. Test restoration procedures regularly to ensure backups are viable.
  2. Disable or secure Remote Desktop Protocol if you don't need it. If RDP is necessary, place it behind a VPN, use multi-factor authentication, implement account lockout policies, and change default port 3389. Never expose RDP directly to the internet with only password protection.
  3. Keep all software updated with automatic updates enabled for Windows, browsers, Office applications, and especially security software. Ransomware operators actively exploit known vulnerabilities in outdated software. Patch management isn't optional—it's your first line of defense.
  4. Train yourself and employees to recognize phishing. Be suspicious of unexpected emails with attachments, especially those urging immediate action. Verify sender identities through separate communication channels before opening attachments or clicking links. Never enable macros in Office documents from unknown sources.
  5. Use reputable security software with real-time protection and keep it updated. Modern anti-malware tools include behavior-based detection that can catch ransomware before encryption begins. Windows Defender is adequate for basic protection, but consider commercial solutions with anti-ransomware features for business environments.
  6. Implement application whitelisting where practical, allowing only approved programs to execute. This prevents ransomware from running even if it gets past other defenses. For home users, at minimum enable SmartScreen filtering and User Account Control at high settings.
  7. Segment your network to limit ransomware spread. Business networks should separate guest WiFi from internal networks, isolate sensitive servers, and restrict lateral movement. Even home networks benefit from keeping IoT devices on separate WiFi networks from computers with sensitive data.
  8. Disable unnecessary Windows features like PowerShell for standard users, restrict macro execution in Office, and consider disabling SMBv1. These measures close common attack vectors that ransomware uses for initial execution and lateral movement.
Our 90-Day Warranty
When Computer Repair Roswell removes ransomware from your system, we guarantee our work for 90 days. If the same infection returns within that period due to remnants we missed (not a new infection from risky behavior), we'll fix it at no additional charge. That's our commitment to thorough, professional malware removal.

Bring It In

Ransomware removal is complex work that carries real risks when done incorrectly. One wrong step can result in permanent data loss or leave infection remnants that reactivate weeks later. If you're dealing with Avaddon or any ransomware, our technicians have the experience and tools to properly clean your system, attempt data recovery using available decryptors, and help you implement the backup and security measures that prevent recurrence. We've handled hundreds of ransomware cases for Roswell-area residents and businesses, and we understand the stress this situation creates.

Don't gamble with your data or waste days attempting manual removal that might not be complete. Call Computer Repair Roswell at (770) 637-1435 or bring your infected computer to our shop at 1235 Warsaw Road, Roswell, GA 30076. We'll evaluate the situation honestly, explain your options including whether encrypted files can be recovered, and provide same-day service in most cases. Our diagnostic is free, and we'll never recommend services you don't actually need. Let us handle the technical headaches so you can get back to work—or just get back to enjoying your computer without the fear of data loss or identity theft hanging over you.