What is Avaddon ransomware
Avaddon ransomware is a malware that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. It uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted by with malware become useless, their contents cannot be read without the key that the criminals have. Good news, it is now possible to decrypt files encrypted by the Avaddon ransomware. Details below.
Avaddon ransomware – new version
Avaddon ransomware appends a new extension to the name of the encrypted file. The first version of the ransomware appended the ‘.avdn’ extension, the new version of the ransomware appends a 10-characters extension, for example ‘.adEEEdCbdE’.
Files encrypted by Avaddon ransomware (new version)
As other ransomware, Avaddon can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, it collects information about the computer and then proceeds to encrypt the files located on it. The following common file types can be encrypted:
.upk, .xar, .dwg, .xlsx, .tax, .itdb, .z3d, .sid, .xlk, .rw2, .xf, .layout, .ods, .gdb, .z, .wpd, .ntl, .wp6, .wbm, .zi, .wsd, .wn, .lbf, .t12, .mdbackup, .wpt, .db0, .jpg, .wp5, .vdf, .wmd, .sql, .wcf, .syncdb, .mcmeta, .odb, .css, .odp, .wav, .wpa, .orf, .pfx, .mlx, .nrw, .wpw, .ibank, .wbk, .xwp, .raw, .d3dbsp, .xbdoc, .mov, .xls, .crw, .sr2, .pptm, .pst, .dbf, .xdb, .slm, .rar, .hkdb, .mddata, .py, .0, .xdl, .rofl, .zif, .das, .ptx, .t13, .r3d, .qic, .xlsm, .psk, .xbplate, .hkx, .arch00, .dazip, .accdb, .yml, .wgz, .wpd, .xmind, .1, .vcf, .ncf, .sb, .qdf, .fos, .m2, .bik, .docx, .bc7, .mrwref, .sav, .sidn, .pdd, .svg, .x3d, .wp, .sidd, .xlsb, .2bp, .odc, .odm, .docm, .eps, .wp7, .ztmp, .txt, .bsa, .7z, .zdc, .hplg, .vpp_pc, .ff, .sie, .asset, .wpg, .wps, .zip, .wm, .iwi, .bay, .p7b, .xyw, .apk, .wire, .xll, .webp, .pak, .blob, .zw, .wot, .rim, .x3f, .lvl, .m4a, .cas, .mp4, .litemod, .vtf, .cfr, .xlsx, .wmo, .ltx, .yal, .wmv, .itl, .desc, .cer, .rtf, .gho, .wdb, .wma, .map, .dng, .der, .w3x, .wma, .tor, .avi, .3fr, .rwl, .pem, .xyp, .cr2, .wbd, .wbmp, .ai, .wbz, .3ds, .srf, .bar, .psd, .arw, .jpeg, .wsc, .wp4, .sum, .doc, .indd, .re4, .crt, .xxx, .erf, .wmf, .flv, .zip, .kdc, .xml, .dba, .xlgc, .xy3, .mef, .wotreplay, .srw, .png, .mpqge, .vpk, .forge, .wpe, .epk, .zabw, .pptx, .jpe, .menu, .bkf, .3dm, .xpm, .mdf, .wpb, .zdb, .dcr, .wsh, .p12, .hvpl, .y, .kf, .bkp, .csv, .xx, .pef, .itm, .wri, .pkpass, .icxs, .ysp
All documents, photos, archives located on local disks, system disks and connected network drives will be encrypted. The Avaddon ransomware encrypts the contents of all disks file by file. Each file that has been encrypted is marked, the ransomware appends a new extension (‘.avdn’ or 10-characters) to its name. For example, if a file had the name ‘document.doc’, then after this file is encrypted by this ransomware, it will have a name similar to the following ‘document.doc.avdn’ (document.doc.adEEEdCbdE). Removing the extension or renaming the file will not help access the contents of the file. The associated program will not be able to read its contents.
Avaddon ransomnote (old version)
The Avaddon ransomware creates a file with the name “[random-numbers]-readme.html” or “[random-numbers]-readme.txt” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
Your network has been infected by Avaddon
All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don’t worry, we can help you to restore all your files!The only way to restore your files is to buy our special software – Avaddon General Decryptor. Only we can give you this software and only we can restore your files!
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
Download Tor browser – hxxps://www.torproject.org/
Install Tor browser
Open link in Tor browser – avaddonbotrxmuyl.onion
Follow the instructions on this page
Your ID:
XXXXXDO NOT TRY TO RECOVER FILES YOURSELF!
DO NOT MODIFY ENCRYPTED FILES!
OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER!
Avaddon ransomnote – new version:
——-=== Your network has been infected! ===——-
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .adEEEdCbdE
You are not able to decrypt it by yourself. But don’t worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
You can get more information on our page, which is located in a Tor hidden network.How to get to our page
| 1. Download Tor browser – https://www.torproject.org/
| 2. Install Tor browser
| 3. Open link in Tor browser – avaddonbotrxmuyl.onion
| 4. Follow the instructions on this pageYour ID:
Criminals use this file to demand ransom from the Avaddon ransomware victims. The ransom demand message said that the victim’s files are encrypted. The ransomware authors demand a ransom in exchange for a key and a decryptor. of course, there is no guarantee that even after paying the ransom to the attackers, the victim will be able to restore the encrypted files to their original state.
Threat Summary
| Name | Avaddon ransomware |
| Type | Crypto malware, File locker, Ransomware, Crypto virus, Filecoder |
| Encrypted files extension | .avdn, 10-characters like adEEEdCbdE |
| Ransom note | readme.html, readme.txt |
| Contact | avaddonbotrxmuyl.onion |
| Ransom amount | $500,$1000 in Bitcoins |
| Detection Names | Win32/Kryptik.HEHT, Trojan.GenericKD.43379103, Trojan.TR/AD.AvaddonRansom.kjtly, W32/Kryptik.HEHJ!tr, Artemis!DAF8ABEA77F4, Trojan:Win32/Obfuscator.SL!MTB, UDS:DangerousObject.Multi.Generic, Trojan/Win32.MalPe.R341475 |
| Symptoms | Files won’t open. Your photos, documents and music now have a new extension. Files called such as ‘readme.html’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
| Distribution ways | Spam mails that contain malicious links. Malicious downloads that happen without a user’s knowledge when they visit a compromised web page. Social media, like web-based instant messaging programs. Torrent webpages. |
| Removal | Avaddon ransomware removal guide |
| Recovery | Recovery Guide |
On current date, antivirus companies have not created a method to decrypt files encrypted by Avaddon. Nevertheless, you do not need to despair. There are several ways to find and remove Avaddon ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Avaddon ransomware, Recover encrypted files
If your files have been encrypted by ransomware, then you need to remove the Avaddon virus or be 100% sure that there is no ransomware on your computer, and then proceed to recover the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Avaddon ransomware virus
- How to decrypt encrypted files
- How to restore encrypted files
- How to protect your PC system from Avaddon ransomware
How to remove Avaddon ransomware virus
First you need to remove the Avaddon ransomware autostart entries before recovering encrypted files. Another option is to perform a full system scan of the computer using free malware removal tools capable of detecting and removing ransomware infection.
It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the Avaddon ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing the Avaddon virus, then let us know in the comments, we will try to help you.
To remove Avaddon ransomware, follow the steps below:
- Kill the Avaddon ransomware process
- Disable the Avaddon ransomware Start-Up
- Delete the Avaddon ransomware Task
- Scan computer for malware
Kill the Avaddon ransomware process
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Avaddon ransomware then right-click it and select “End Task” or “End Process” option.
A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing). If there are no processes in the list that look suspicious, then the Avaddon virus is hiding under the name of one of the legitimate process. To find a virus, you need to know its file name. The name of the ransomware file can be found in the Task Scheduler (Select ‘update’ task, Click the ‘Actions’ tab) or in the Task manager (click the ‘Start-up’ tab, right click to a start-up entry, click Properties).
Avaddon ransomware – file name
Disable the Avaddon ransomware Start-Up
Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.
Close Task Manager.
Delete the Avaddon ransomware Task
Type “Task Scheduler” in the search bar. Click Task Scheduler app in the search results. Click “Task Scheduler Library” in the left panel. On the right panel, right-click to “update” and select Delete.
Close Task Scheduler.
Scan computer for malware
Zemana Anti Malware (ZAM) can remove ransomware, as well as a spyware, trojans, worms, rootkits and other malware. After the detection of the Avaddon ransomware, you can easily and quickly delete it.
Visit the following page to download Zemana Free. Save it on your desktop.
164027 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is complete, close all software and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed on the screen below.
When the install begins, you will see the “Setup wizard” that will help you install Zemana Free on your computer.
Once installation is done, you will see window such as the one below.
Now press the “Scan” button to perform a system scan with this utility for the Avaddon ransomware virus, other malware, worms and trojans. This task can take some time, so please be patient.
Once the scan get finished, it will open the Scan Results. Make sure to check mark the items which are unsafe and then click “Next” button.
The Zemana Anti Malware will begin to remove Avaddon ransomware virus, other malicious software, worms and trojans.
If you are having problems with the Avaddon removal, then use Kaspersky virus removal tool (KVRT). It is a free removal tool that can be downloaded and run to remove ransomware, adware, spyware, trojans, worms, potentially unwanted programs, malicious software and other security threats from your personal computer. You can run this utility to detect threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the following link.
129054 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen similar to the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Avaddon crypto virus and other malware. This procedure can take quite a while, so please be patient. While the Kaspersky virus removal tool utility is scanning, you can see count of objects it has identified as being affected by malicious software.
After finished, KVRT will open a list of all items found by the scan as displayed on the image below.
Make sure all items have ‘checkmark’ and press on Continue to begin a cleaning process.
How to decrypt encrypted files
Files with a new extension (‘.avdn’ or 10-characters) are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Good news, Avaddon appears to have shut down. The private keys of victims have been released online. Emsisoft has created a decryptor that uses these keys to decrypt encrypted files. Emsisoft Decryptor for Avaddon can be downloaded from link below.
To decrypt Avaddon ransomware, use the following steps
- Download Avaddon Decryptor from the following link.
https://www.emsisoft.com/ransomware-decryption-tools/download/avaddon - Save the decrypt_Avaddon.exe file to your desktop.
- Run decrypt_Avaddon.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Unfortunately, today there is no way to decrypt files encrypted by the Avaddon ransomware, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Avaddon ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Avaddon ransomware) in order to recover locked files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Files encrypted with .Avdn extension
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
This video step-by-step guide will demonstrate How to remove Avaddon ransomware and recover .avdn files.
How to recover encrypted files
If all your files are encrypted by Avaddon, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Restore encrypted files using Shadow Explorer
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Avaddon ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your system from the link below.
438656 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is done, extract the saved file to a directory on your personal computer. This will create the necessary files as on the image below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to restore from and the drive (1) you wish to recover files (folders) from such as the one below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button like below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover encrypted files with PhotoRec
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec by clicking on the following link.
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed in the figure below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where restored personal files should be written, then press Search. We strongly recommend that you use an external device to save the restored files!
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your PC system from Avaddon ransomware
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from MS Windows XP to Windows 10.
First, click the following link, then click the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
After the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of the Avaddon ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt encrypted files; how to recover encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Avaddon related issues, go to here.
Thanks guys, Just did the steps and recovery my computer from:
HEUR:Trojan.Win32.DelShad.gen
File: C:\Users\lumion\AppData\Roaming\Microsoft\Windows\svchost.exe
It created the files with this extension: .BeBcaBACbD
Take care and thanks for the help!
But this virus clean the shadow copies, so Shadow Explorer is unuseful.
Did you really recover your files with Photorec?
the video demonstrates the actual recovery of encrypted files using PhotoRec.
Man!!!!! Thanks I came back to check if there was a solution!!! I am getting my files back with the decrypt_Avaddon…
Best day ever!
Thanks!