Cyber Security Center

Avaddon ransomware removal


Avaddon ransomware is malware that encrypts files. It adds the .avdn file extension to encrypted files, and drops a -readme.html ransom note. Decryptor for Avaddon ransomware encrypted files initially costs $560.

 

Screenshot (24)

Discovered by cybersecurity researcher GrujaRS, Avaddon ransomware is file-encrypting malware that essentially locks files until users use a special tool to decrypt them. Users can determine which ransomware they’re dealing with from the extension added to encrypted files, which in this case is .avdn. Files with that extensions will not be openable until they’re decrypted.

The ransomware drops a ransom note (named [random numbers]-readme.html), which offers users the decryptor, if they’re willing to pay for it. The price for the decryptor depends on how long users wait, the starting sum is 0.05346968 BTC (currently $560), and doubles every 180 hours (7 days + 12 hours). Paying for the decryptor is not only not recommended, it’s very much discouraged. There are no guarantees that a decryptor would be sent after the payment is made, and the payment would only support future criminals activities. Thus, users should avoid paying the ransom.

Malware researchers do release free decryptors to help victims when possible but not all ransomware is decryptable. The Internet is also full of fake decryption tools so users should be careful when looking for ways to decrypt files. Some of the legitimate sources to download decryptors from include NoMoreRansom, Emsisoft, other anti-virus vendors, and malware researchers.

Currently, only those who have backup can recover files for free. If users have backed up their files and are able to access the backup, they can start file recovery as soon as they remove Avaddon ransomware. If the malware is still present when users access backup, those files may become encrypted as well.

How does ransomware infiltrate a computer?

Ransomware mostly uses more or less the same distribution methods, which include spam email attachments, torrents, and malicious ads. Thus, users who have bad browsing habits are usually at much higher risk of infecting their computers with ransomware.

One of the most common ways users pick up ransomware is by opening spam email attachments. Spam emails often come with malicious attachments, which if opened would trigger the ransomware. Those emails usually are pretty obvious, as long as users pay attention to what they open. For one, the emails are usually sent from completely random email addresses. Even if the email address looks legitimate, users should research it anyway. Spam senders often pretend to be from known companies/organizations, so users can easily check the email address. Malicious emails carrying malware are also usually full of grammar and spelling mistakes. This is usually the most obvious sign. Lastly, all unsolicited email attachments should be scanned with anti-virus software or VirusTotal before they’re opened.

Pirating via torrents is often the reason why users infect their computers. Torrents websites and forums are full of malware because they are not regulated properly, as this allows cyber criminals  to easily upload their malicious torrents. Malware is particularly common in torrents for popular movies, TV shows, games, and software.

What does Avaddon ransomware do?

When the ransomware is initiated, it will encrypt files users hold most important, including photos, videos and documents. Encrypted files will have the .avdn file extension added to them and will be unopenable. The ransomware also drops the xxxxxx-readme.html ransom note, which explains that files have been encrypted with Avaddon ransomware. The note explains that to decrypt files, users need to buy the Avaddon General Decryptor. Victims are instructed to download the Tor browser and access the avaddonbotrxmuyl.onion. If users do that and access the page, they will be greeted with a 7 day + 12 hours timer. That is how long users have until the decryptor price is doubled. The initial price is 0.05346968 BTC which currently is $560.

Since there are no guarantees that files would be decrypted, or that the decryptor would even be sent, paying the ransom is not recommended. Not only does is not guarantee file decryption, it also makes ransomware profitable to cyber criminals, which only encourages them to continue. The fact is, until users stop paying the ransom, ransomware will continue to be a very serious problem.

Backup is a great remedy to ransomware. If users get in the habit of regularly backing up their files, they will not have the need to pay the ransom in case their files ever get encrypted. There are many great backup options, so users will be able to find the method that works best for them.

Here is the text from ransom note dropped by Avaddon ransomware:

Your network has been infected by Avaddon
All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don’t worry, we can help you to restore all your files!

The only way to restore your files is to buy our special software – Avaddon General Decryptor. Only we can give you this software and only we can restore your files!

You can get more information on our page, which is located in a Tor hidden network.

How to get to our page
Download Tor browser – hxxps://www.torproject.org/
Install Tor browser
Open link in Tor browser – avaddonbotrxmuyl.onion
Follow the instructions on this page
Your ID:

DO NOT TRY TO RECOVER FILES YOURSELF!
DO NOT MODIFY ENCRYPTED FILES!
OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER!

Avaddon ransomware removal

Users most certainly need to use anti-virus software to delete Avaddon ransomware. Removing the ransomware fully and correctly is crucial in order to stop new or backed up files from becoming encrypted. When users fully remove Avaddon ransomware, they can access their backup.

Avaddon ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • Gen:Variant.Zusy.313069 by BitDefender
  • A Variant Of Win32/Filecoder.Avaddon.C by ESET
  • Gen:Variant.Zusy.313069 (B) by Emsisoft
  • Ransom:Win32/Avaddon.C!MTB by Microsoft
  • UDS:DangerousObject.Multi.Generic by Kaspersky
  • ML.Attribute.HighConfidence by Symantec