14 June 2021

Avaddon ransomware group shuts down operation, releases decryption keys


Avaddon ransomware group shuts down operation, releases decryption keys

Operators behind the Avaddon ransomware have closed down their operation and released over 2,000 decryption keys for their victims.

BleepingComputer news site said it received “an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file.” The file named "Decryption Keys Ransomware Avaddon" contained 2,934 decryption keys, where each key corresponded to a specific victim.

BleepingComputer shared the file with researchers at Emsisoft, who analyzed the keys and confirmed they were legitimate. The company also released a free decryptor that allows victims to recover their files.

In May, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) issued the alerts warning of the Avaddon ransomware campaign targeting organizations in a variety of sectors across the world. The targeted sectors included government, finance, law enforcement, energy, information technology, health, freight and transport, manufacturing, retail, energy and airlines.

Currently, all of Avaddon's Tor sites are inaccessible, according to BleepingComputer. It’s unclear why the ransomware operators have shut down their operation so suddenly. According to experts, over the last few days the Avaddon group has tried hard to finalize ransom payments from existing unpaid victims, pressuring them to pay and accepting counter offers without bargaining. The reason for this may be the increased pressure and scrutiny by law enforcement and governments around the globe after recent attacks against Colonial Pipeline and JBS.


Back to the list

Latest Posts

NSA publishes guidance on how to secure wireless devices in public settings

NSA publishes guidance on how to secure wireless devices in public settings

The agency advises to avoid connecting to public Wi-Fi, and use a corporate or personal Wi-Fi hotspot with strong authentication and encryption whenever possible.
30 July 2021
Death Kitty ransomware reportedly behind the attack on South African ports

Death Kitty ransomware reportedly behind the attack on South African ports

The attackers claim they encrypted the company’s files, including 1TB of personal data, financial reports and other documents.
30 July 2021
New destructive wiper malware linked to recent Iranian railway attack

New destructive wiper malware linked to recent Iranian railway attack

The Meteor wiper was developed in the past three years and seems to be designed for reuse in multiple campaigns.
30 July 2021