Menu
Browse

Cyber Threat Actor: Avaddon

Actor Type Location Known Incidents
 Icon
Crime Syndicate
20 incidents
Profile

The Avaddon ransomware gang, also known as Avaddon, operates as a financially motivated cybercriminal group conducting ransomware attacks coupled with data exfiltration and disruptive threats. This actor targets organizations across multiple sectors and geographies, with documented incidents impacting healthcare providers, financial services, government entities, telecommunications, educational institutions, political organizations, and insurance firms. Geographically confirmed operations span Mexico, the United States, France, Australia, Italy, Jordan, Malta, and Brazil, reflecting a global targeting pattern. Avaddon’s primary objectives center on financial extortion through encrypting victim systems, stealing sensitive data, and threatening secondary attacks such as distributed denial-of-service (DDoS) campaigns or public data leaks to coerce ransom payments.

Avaddon employs consistent tactics, including deploying proprietary ransomware, exfiltrating data prior to encryption, and maintaining a dedicated leak site to publish stolen information and pressure victims. The group issues time-bound ultimatums—typically 240 hours or 10 days—before escalating threats, often supplementing ransomware demands with DDoS attacks against victim infrastructure. Initial access vectors include exploitation of vulnerabilities, such as VPN weaknesses highlighted in the Greenville Technical College breach. Operational security lapses have been observed, including misidentification of victims during Italian municipal attacks and erroneous DDoS targeting. While Avaddon claims data destruction capabilities without their decryptor, successful victim recoveries using backups are documented. Public sources attribute a suspected Russian origin to the group, though no formal state affiliation is confirmed. Notable incidents include the 2021 attack on AXA’s Asian operations following the insurer’s policy change on ransomware reimbursements, the compromise of Mexico’s national lottery prompting unprecedented geographic IP blocking defenses, and the breach of Australia’s Labor Party branch involving exfiltration of politically sensitive data. These operations demonstrate Avaddon’s focus on high-impact targets, leveraging stolen data for extortion while adapting to victim countermeasures.

Incidents
Attributed incidents available to members
20 incidents
Sources
Sources available to members
19 sources