“Avaddon” Gives Away Its Ransomware Decryption Keys for Free and Shuts Down Operation

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Only yesterday, we informed you of Avaddon’s latest high-profile victim and the presence of signs of the DDoSing that typically accompanies the attacks of the particular ransomware group. A few hours after that, Avaddon dropped the decryption keys to BleepingComputer, in a message that pretended to be from the FBI and took its operation portals offline. The medium shared the files with specialists from Emsisoft and Coveware, and they confirmed the validity of the keys, which they used to release a working decryptor for all victims.

Avaddon has compromised thousands of firms and organizations, and BleepingComputer received a pretty large set of 2,934 decryption keys. This is one key for each victim, but the decryptor released by Emsisoft doesn’t need the insertion of the specific key. Just follow the step-by-step instructions provided here, and hopefully, you will get most of your files back.

As CEO of Coveware Bill Siegel stated, Avaddon has followed an abnormal approach in recent weeks, not engaging in notable pushback if negotiations didn’t go well. This is indicative of hasty operations and a sign of nervousness, and a preamble of an imminent shutdown. Possibly, the actors felt that the law enforcement authorities were closing in, so they feared being tracked down, identified, and arrested.

Another possibility is that Avaddon would like to rebrand, as they are now drawing too much attention as the most active (in terms of the number of attacks) RaaS operation. This is pretty likely because Avaddon didn’t post any messages to announce the shutdown and didn’t have any members going renegade and revealing info. This shutdown is too coordinated and “silent” to be the real end of operations for such a prolific group of actors.

This is yet another real-life example of why you should keep encrypted files stored and patiently wait for the release of a decryptor while you rebuild your systems from scratch. In most cases, sooner or later, one way or another, a decryptor will eventually land. Ransomware operations usually shut down after a short period of boom in their activities, which happens for various mutually supportive reasons. The next most active and troublesome ransomware group in the pipeline is Conti, which will now find itself in the spotlight.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: