{
	"id": "a20356ea-7409-4852-b24c-d4457f88c3b2",
	"created_at": "2026-04-06T00:13:43.991891Z",
	"updated_at": "2026-04-10T03:22:09.06236Z",
	"deleted_at": null,
	"sha1_hash": "bc8a8c61b60a431874fbc6d2d00f20a507e19b70",
	"title": "Avaddon ransomware operation shuts down and releases decryption keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 245413,
	"plain_text": "Avaddon ransomware operation shuts down and releases\r\ndecryption keys\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-10 · Archived: 2026-04-05 21:35:44 UTC\r\nThe criminal group behind the Avaddon ransomware has shut down its operation today and released\r\ndecryption keys for past victims.\r\nThe keys were made available earlier today via a private message sent to Bleeping Computer, a ransomware\r\nsupport forum and news site that has been covering the ransomware scene since 2016.\r\nThe keys have now been shared with Emsisoft, a security firm that has previously released tens of free decryption\r\nutilities for all kinds of ransomware strains.\r\nThe company expects to release a free decryptor over the weekend, Emsisoft security researcher Michael Gillespie\r\nhas told The Record in an interview. [Update: Decryptor now live here.]\r\nThe decryptor will take the 2,934 decryption keys and allow past Avaddon victims to decrypt their files for free if\r\nthey still have the encrypted files around and have not deleted the data.\r\nPSA: Avaddon appears to have shut down and released 2934 private keys of victims. A public Emsisoft\r\ndecryption tool is coming soon. Do not pay. If you are a victim and want to know if your files can be\r\ndecrypted, please reach out to fw@emsisoft.com. Thanks.\r\n— Fabian Wosar (@fwosar) June 11, 2021\r\nAvaddon was slowly becoming a top-tier threat\r\nThe Avaddon shutdown today came out of the blue and has surprised the security research community.\r\nAfter the disappearance of the Darkside ransomware gang in the aftermath of the Colonial Pipeline attack, the\r\nAvaddon gang had moved very aggressively to fill the gap left on the market, Allan Liska, a Recorded Future\r\nsecurity analyst who tracks ransomware operations, told The Record.\r\n\"Avaddon was tied with Conti for most number of ransomware extortions published since the Colonial Pipeline\r\nattack,\" Liska told us. \"Fifty-nine victims published since May 7th ), 182 in total since launching in August 2020.\"\r\nhttps://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nPage 1 of 5\n\nFurthermore, the group had also been extremely active even before the Colonial Pipeline attack.\r\nTens of victims reported intrusions and submitting Avaddon-encrypted files and ransom notes to the ID-Ransomware service on an almost weekly basis this year.\r\nAvaddon's recent sudden spike in attacks also led the US Federal Bureau of Investigation and the Australian Cyber\r\nSecurity Centre to issue alerts at the start of May about their ever-growing number of intrusions.\r\nActual shutdown or just rebranding?\r\nHowever, earlier today, the gang shut down its servers, its dark web leak site, wiped profiles on hacking forums,\r\nand then sent the decryption keys to Bleeping Computer.\r\nhttps://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nPage 2 of 5\n\nAvaddon ransomware leak site\r\nUnlike other ransomware gangs who shut down operations through pompous messages posted online, the\r\nAvaddon gang appears to have disappeared from the face of the earth.\r\nMessages to a now-wiped hacking forum account were not returned. All posts made from that account have also\r\nbeen deleted.\r\nA theory gaining ground in the infosec community suggests that the group may be entering a rebranding phase,\r\nsomething that many other gangs have done before, such as Nemty-to-Nefilim and Gandcrab-to-REvil.\r\nShortly after the Colonial Pipeline attack, the Avaddon gang also announced plans to go private and work only\r\nwith a selected number of affiliates for their intrusions.\r\nRebranding and going private would be a good way for the Avaddon gang to lose the law enforcement agencies\r\nand security firms currently tracking its every moves.\r\n@ddd1ms \u0026 @campuscodi Some change is happening.... @Raj_Samani @ChristiaanBeek\r\n@McAfee_Labs pic.twitter.com/SIgNW3V2Df\r\n— John Fokker (@John_Fokker) May 14, 2021\r\nPrior to shutting down, the Avaddon gang was also notorious for running one of the most professional and\r\nresponsive Ransomware-as-a-Service (RaaS) operations.\r\nThe group advertised through hacking forums such as Exploit and XSS, was responsive to customer demands, and\r\nran an automated leak portal as a double-extortion scheme for victims who refused to pay.\r\nIn addition, the Avaddon gang also built one of the easier to use RaaS portals (see image below, courtesy of the\r\nRecorded Future Insikt Group), and when a bug was found in its code that allowed for free decryptions, they fixed\r\nit within a day.\r\nhttps://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nPage 3 of 5\n\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nPage 4 of 5\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nhttps://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/\r\nPage 5 of 5\n\nsecurity analyst \"Avaddon was who tracks ransomware tied with Conti operations, for most number of told The Record. ransomware extortions published since the Colonial Pipeline\nattack,\" Liska told us. \"Fifty-nine victims published since May 7th ), 182 in total since launching in August 2020.\"\n   Page 1 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/"
	],
	"report_names": [
		"avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc8a8c61b60a431874fbc6d2d00f20a507e19b70.pdf",
		"text": "https://archive.orkl.eu/bc8a8c61b60a431874fbc6d2d00f20a507e19b70.txt",
		"img": "https://archive.orkl.eu/bc8a8c61b60a431874fbc6d2d00f20a507e19b70.jpg"
	}
}