{"id":2632,"date":"2021-06-14T11:16:11","date_gmt":"2021-06-14T09:16:11","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2632"},"modified":"2026-06-08T23:01:55","modified_gmt":"2026-06-08T23:01:55","slug":"avaddon-shutdown-keys-released","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/avaddon-shutdown-keys-released\/","title":{"rendered":"Avaddon shuts down \u2014 decryption keys released publicly"},"content":{"rendered":"\n<p style=\"text-align: justify\"><strong>Avaddon Ransomware,<\/strong> belonging to the Ransomware-as-a-Service <strong>(RaaS)<\/strong> family, was developed by threat actor <strong>RIDDLE SPIDER.<\/strong> The group operated a revenue-sharing model of <strong>65-35%<\/strong> with its affiliates.<br \/>The group recently announced its exit from the business (June 2021) by sharing encryption keys for system recovery with a specialized information security firm (<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/avaddon-ransomware-shuts-down-and-releases-decryption-keys\/\">link<\/a>). The group had been active in this sector since June 2020.<\/p>\n<p style=\"text-align: justify\">The group employed <strong>spam emails<\/strong> and <strong>malware<\/strong> <em>downloaders<\/em> to initiate attacks and system compromises.<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.swascan.com\/wp-content\/uploads\/2020\/12\/email-r.jpg\" alt=\"Avaddon Ransomware: Incident Response Analysis - Swascan\" loading=\"lazy\" \/><figcaption>Example of email used for Avaddon distribution<\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\"><strong>BleepingComputer,<\/strong> a technology-focused security news outlet, received an <em>email<\/em> containing the keys to decrypt systems affected by this ransomware.<\/p>\n<p style=\"text-align: justify\">As <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/avaddon-ransomware-shuts-down-and-releases-decryption-keys\/\">reported,<\/a> the email contained a link to a ZIP file named &#8220;<strong>Decryption Keys Ransomware Avaddon<\/strong>&#8221; protected by password.<\/p>\n<p style=\"text-align: justify\"><br \/>Inside were found the 3 files listed below.<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/ransomware\/a\/avaddon\/shut-down-decryption-keys\/zip-folder.jpg\" alt=\"Avaddon decryption keys shared with BleepingComputer\" loading=\"lazy\" \/><figcaption> <a class=\"ek-link ek-link\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/avaddon-ransomware-shuts-down-and-releases-decryption-keys\/\">Avaddon ransomware shuts down and releases decryption keys (bleepingcomputer.com)<\/a> <\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">The file contents proved to be a list of 2 934 decryption keys, each corresponding to a specific victim.<\/p>\n<p style=\"text-align: justify\"><span>BleepingComputer then executed a test of the decryptor developed by Emsisoft <\/span><a class=\"ek-link ek-link\" href=\"https:\/\/www.emsisoft.com\/ransomware-decryption-tools\/avaddon\">Decryptor for Avaddon <\/a>on a virtual machine encrypted with a recent Avaddon sample. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> tracking confirmed the decryption success rate across multiple victim environments.<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/ransomware\/a\/avaddon\/shut-down-decryption-keys\/decryption-test.gif\" alt=\"Decrypting Avaddon encrypted files with released keys\" loading=\"lazy\" \/><figcaption> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/avaddon-ransomware-shuts-down-and-releases-decryption-keys\/\" class=\"ek-link\">Avaddon ransomware shuts down and releases decryption keys (bleepingcomputer.com)<\/a> <\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Criminal operations involving Avaddon Ransomware have been discontinued; all Avaddon Tor sites are inaccessible. <br \/>In recent days, the group offered discounts to victims in an attempt to close extortion activities.<\/p>\n<p style=\"text-align: justify\">With an average ransom demand of approximately 600 000 USD, the group appears to have terminated all negotiations and operations. This likely resulted from heightened scrutiny in recent months following attacks against multiple U.S. companies and sustained pressure from law enforcement and governments worldwide. The shutdown of RaaS operations demonstrates that sustained attribution and coordinated international enforcement action remain effective deterrents against organized ransomware campaigns.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Avaddon ransomware operation closure with public release of decryption keys: recovery scope for past victims and post-shutdown affiliate movement signals.<\/p>\n","protected":false},"author":1,"featured_media":2615,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3271,42,64,108,110,3270,212,263,283,3269,296,297],"class_list":["post-2632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-affiliate-movement","tag-avaddon","tag-chiavi","tag-decifrare-avaddon","tag-decryption-key","tag-decryption-keys","tag-malware","tag-password","tag-ransomware","tag-ransomware-shutdown","tag-riddle-spider","tag-rilasciate"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2632"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2632\/revisions"}],"predecessor-version":[{"id":9896,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2632\/revisions\/9896"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}