{
	"id": "181553b4-c246-4ea5-a57f-c4eb9d5b8be4",
	"created_at": "2026-04-06T00:15:13.967652Z",
	"updated_at": "2026-04-10T13:12:09.721659Z",
	"deleted_at": null,
	"sha1_hash": "e0281dd108c2a2c97806c76f9c623a9597de25e2",
	"title": "Avaddon ransomware: an in-depth analysis and decryption of infected systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31305,
	"plain_text": "Avaddon ransomware: an in-depth analysis and decryption of\r\ninfected systems\r\nBy [Submitted on 9 Feb 2021]\r\nArchived: 2026-04-05 20:13:32 UTC\r\nView PDF\r\nAbstract:The commoditization of Malware-as-a-Service (MaaS) allows criminals to obtain financial\r\nbenefits at a low risk and with little technical background. One such popular product in the underground\r\neconomy is ransomware. In ransomware attacks, data from infected systems is held hostage (encrypted)\r\nuntil a fee is paid to the criminals. This modus operandi disrupts legitimate businesses, which may\r\nbecome unavailable until the data is restored. A recent blackmailing strategy adopted by criminals is to\r\nleak data online from the infected systems if the ransom is not paid. Besides reputational damage, data\r\nleakage might produce further economical losses due to fines imposed by data protection laws. Thus,\r\nresearch on prevention and recovery measures to mitigate the impact of such attacks is needed to adapt\r\nexisting countermeasures to new strains.\r\nIn this work, we perform an in-depth analysis of Avaddon, a ransomware offered in the underground\r\neconomy as an affiliate program business. This has infected and leaked data from at least 23\r\norganizations. Additionally, it runs Distributed Denial-of-Service (DDoS) attacks against victims that do\r\nnot pay the ransom. We first provide an analysis of the criminal business model from the underground\r\neconomy. Then, we identify and describe its technical capabilities. We provide empirical evidence of\r\nlinks between this variant and a previous family, suggesting that the same group was behind the\r\ndevelopment and, possibly, the operation of both campaigns.\r\nFinally, we describe a method to decrypt files encrypted with Avaddon in real time. We implement and\r\ntest the decryptor in a tool that can recover the encrypted data from an infected system, thus mitigating\r\nthe damage caused by the ransomware. The tool is released open-source so it can be incorporated in\r\nexisting Antivirus engines.\r\nSubmission history\r\nFrom: Javier Yuste [view email]\r\n[v1] Tue, 9 Feb 2021 12:31:49 UTC (66 KB)\r\nSource: https://arxiv.org/abs/2102.04796\r\nhttps://arxiv.org/abs/2102.04796\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arxiv.org/abs/2102.04796"
	],
	"report_names": [
		"2102.04796"
	],
	"threat_actors": [],
	"ts_created_at": 1775434513,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e0281dd108c2a2c97806c76f9c623a9597de25e2.pdf",
		"text": "https://archive.orkl.eu/e0281dd108c2a2c97806c76f9c623a9597de25e2.txt",
		"img": "https://archive.orkl.eu/e0281dd108c2a2c97806c76f9c623a9597de25e2.jpg"
	}
}