{
	"id": "2281f869-39a6-44de-bf1c-fb9c76050d40",
	"created_at": "2026-04-06T00:13:25.325569Z",
	"updated_at": "2026-04-10T03:20:21.257931Z",
	"deleted_at": null,
	"sha1_hash": "6d65394ba978930bac15cf5b13e89d3f0f5bb932",
	"title": "Avaddon ransomware shuts down and releases decryption keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3147853,
	"plain_text": "Avaddon ransomware shuts down and releases decryption keys\r\nBy Lawrence Abrams\r\nPublished: 2021-06-11 · Archived: 2026-04-02 12:28:19 UTC\r\nThe Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to\r\nBleepingComputer.com.\r\nThis morning, BleepingComputer received an anonymous tip pretending to be from the FBI that contained a password and a\r\nlink to a password-protected ZIP file.\r\nThis file claimed to be the \"Decryption Keys Ransomware Avaddon,\" and contained the three files shown below.\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAvaddon decryption keys shared with BleepingComputer\r\nAfter sharing the files with Fabian Wosar of Emsisoft and Michael Gillespie of Coveware, they confirmed that the keys are\r\nlegitimate.\r\nUsing a test decryptor shared with BleepingComputer by Emsisoft, I decrypted a virtual machine encrypted today with a\r\nrecent sample of Avaddon.\r\nDecrypting Avaddon encrypted files with released keys\r\nIn total, the threat actors sent us 2,934 decryption keys, where each key corresponds to a specific victim.\r\nEmsisoft has released a free decryptor that all victims can use to recover their files for free.\r\nWhile it doesn't happen often enough, ransomware groups have previously released decryption keys to BleepingComputer\r\nand other researchers as a gesture of goodwill when they shut down or release a new version.\r\nIn the past, decryption keys have been released for TeslaCrypt, Crysis, AES-NI, Shade, FilesLocker, Ziggy, and\r\nFonixLocker.\r\nAvaddon shuts down ransomware operation\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nPage 3 of 5\n\nAvaddon launched its operation in June 2020 through a phishing campaign that contained a winking smiley, shown below.\r\nAvaddon phishing email\r\nOver time, Avaddon has grown into one of the larger ransomware operations, with the FBI and Australian law enforcement\r\nrecently releasing advisories related to the group.\r\nAt this time, all of Avaddon's Tor sites are inaccessible, indicating that the ransomware operation has likely shut down.\r\nFurthermore, ransomware negotiation firms and incident responders saw a mad rush by Avaddon over the past few days to\r\nfinalize ransom payments from existing unpaid victims.\r\nCoveware CEO Bill Siegel has told BleepingComputer that Avaddon's average ransom demand was around $600k.\r\nHowever, over the past few days, Avaddon has been pressuring victims to pay and accepting the last counteroffer without\r\nany push back, which Siegel states is abnormal.\r\nIt is not clear why Avaddon shut down, but it was likely caused by the increased pressure and scrutiny by law enforcement\r\nand governments worldwide after recent attacks against critical infrastructure.\r\n\"The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope\r\nsome others go down too,\" Emsisoft threat analyst Brett Callow told BleepingComputer.\r\nWith the recent attacks against Colonial Pipeline and JBS, ransomware has become a priority of the US government.\r\nAs most of the larger ransomware operations are believed to be operated within Russia or other CIS countries, President\r\nBiden will be discussing these recent ransomware attacks with Russian President Vladimir Putin at the June 16 Geneva\r\nsummit.\r\nUpdate 6/11/21: Added link to free Avaddon decryptor.\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/"
	],
	"report_names": [
		"avaddon-ransomware-shuts-down-and-releases-decryption-keys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434405,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d65394ba978930bac15cf5b13e89d3f0f5bb932.pdf",
		"text": "https://archive.orkl.eu/6d65394ba978930bac15cf5b13e89d3f0f5bb932.txt",
		"img": "https://archive.orkl.eu/6d65394ba978930bac15cf5b13e89d3f0f5bb932.jpg"
	}
}