Riddle Spider is a financially motivated cybercriminal threat actor best known as the operator of the Avaddon ransomware-as-a-service (RaaS) operation. Active prominently from June 2020 to June 2021, the group ran Avaddon through an affiliate model in which operators and affiliates shared ransom proceeds, with reporting indicating an initial 35/65 split. Riddle Spider is commonly associated with the aliases riddlespider and RiddleSpider, and is closely tied to Avaddon. Riddle Spider conducted double-extortion ransomware operations, combining file encryption with theft of victim data and threats to publish stolen information on a leak site. The group targeted Windows environments and encrypted both local and mapped network shares. Avaddon affiliates commonly obtained initial access through compromised credentials, Remote Desktop Protocol access, and web shells, then used post-exploitation tooling for persistence, reconnaissance, lateral movement, and privilege escalation. Associated tooling and frameworks included SystemBC for remote access and proxying, as well as Empire and PowerSploit. Avaddon employed extensive defense evasion and anti-recovery measures. The malware performed geographic checks to avoid execution in certain CIS-language environments, terminated selected services and processes, deleted shadow copies, and used Windows mechanisms to reduce the chance of interruption during encryption. It also excluded certain system-critical directories and file types from encryption to preserve host operability. Encryption reportedly used AES-256, with later variants using unique keys per file. Ransom notes embedded victim-specific reconnaissance information, including identifiers and host details. Riddle Spider has also been associated with use of SystemBC, a malware family used as a proxy, backdoor, bot, and remote access trojan. In intrusions, SystemBC provided backdoor access, established persistence, gathered host information, and created SOCKS5-based command-and-control channels, often in conjunction with broader hands-on-keyboard activity and additional payload deployment. Avaddon has been noted to share code similarities and tradecraft overlaps with other ransomware families including MedusaLocker, Ako, and ThunderX. Riddle Spider is best understood as an eCrime ransomware operator rather than a state-sponsored actor.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 malware families attributed to this actor across reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Riddle Spider is known for operating the Avaddon ransomware-as-a-service (RaaS) campaign from June 2020 to June 2021, leveraging double extortion tactics and an affiliate profit-sharing model. The group targets Windows systems, encrypts files, and threatens to leak stolen data if ransom demands are not met.
Listed as one of multiple threat groups associated with using SystemBC.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.