Avaddon shuts down — decryption keys released publicly

Avaddon Ransomware, belonging to the Ransomware-as-a-Service (RaaS) family, was developed by threat actor RIDDLE SPIDER. The group operated a revenue-sharing model of 65-35% with its affiliates.
The group recently announced its exit from the business (June 2021) by sharing encryption keys for system recovery with a specialized information security firm (link). The group had been active in this sector since June 2020.

The group employed spam emails and malware downloaders to initiate attacks and system compromises.

BleepingComputer, a technology-focused security news outlet, received an email containing the keys to decrypt systems affected by this ransomware.

As reported, the email contained a link to a ZIP file named “Decryption Keys Ransomware Avaddon” protected by password.

Inside were found the 3 files listed below.

The file contents proved to be a list of 2 934 decryption keys, each corresponding to a specific victim.

BleepingComputer then executed a test of the decryptor developed by Emsisoft Decryptor for Avaddon on a virtual machine encrypted with a recent Avaddon sample. Our Cyber Threat Intelligence tracking confirmed the decryption success rate across multiple victim environments.

Criminal operations involving Avaddon Ransomware have been discontinued; all Avaddon Tor sites are inaccessible.
In recent days, the group offered discounts to victims in an attempt to close extortion activities.

With an average ransom demand of approximately 600 000 USD, the group appears to have terminated all negotiations and operations. This likely resulted from heightened scrutiny in recent months following attacks against multiple U.S. companies and sustained pressure from law enforcement and governments worldwide. The shutdown of RaaS operations demonstrates that sustained attribution and coordinated international enforcement action remain effective deterrents against organized ransomware campaigns.