Priskila

Urgently Needed! Avaddon ransomware (.avdn)

Recommended Posts

Hello Emsisoft team,

My PC lately got infected by Avaddon ransomware and i have deleted the virus but some of my files being encrypted.

Is there possible way to decrypt it with decryptor tools or something else to restore my files?

Thanks

Share this post


Link to post
Share on other sites

Avaddon Ransomware

One of the victims, at my request, provided encrypted files and a ransom note.
I added to this malware samples, early and newest. This is analyzed by decryption specialists.
If there is a positive result, I will let you know. This will apply to all cases that have been until today.

  • Thanks 1

Share this post


Link to post
Share on other sites

Dear Amigo-A,

Thanks for your response

Okay then I'll be waiting for the positive result. Hope it'll help to restore my files soon *finger crossed* ☺️

Btw can you tell me how long does it take for the decryption specialist figured out to decrypt avdn files? because i urgently needed my files

Thank you so much for your help

  • Like 1

Share this post


Link to post
Share on other sites

Hi sir

My system got infected by this virus and some of my important files got encrypted.

How can I get rid of encrypted files and get those decrypted?

I need my files please help me :(

Thank you in advance 

Share this post


Link to post
Share on other sites

My all files in local disk D,E have been affected by AVADDON.

I CAN'T ABLE TO RECOVER OR DECRYPT MY FILES.please I beg you..

Please solve my problem permanently.

And please tell the way to remove AVADDON from my pc permanently.

Share this post


Link to post
Share on other sites

  

6 hours ago, Superman ABD said:

And please tell the way to remove AVADDON from my pc permanently.

Removing malware can be done using antivirus software, which can be downloaded free of charge and run a scan in real time. If you are already on the Emsisoft company forum, then the logical action would be to download the Emsisoft software and check the system or all drives that are connected. Test results can be added to the message and Emsisoft specialists will help with the analysis of the results.

 

  • Thanks 1

Share this post


Link to post
Share on other sites
14 hours ago, Priskila said:

Btw can you tell me how long does it take for the decryption specialist figured out to decrypt avdn files? because i urgently needed my files

I am waiting for the verification results. I have provided samples of files and malware, it remains to wait and hope. It is worse when they immediately say that "decoding by our forces is impossible."

  • Thanks 2

Share this post


Link to post
Share on other sites
12 hours ago, Amigo-A said:

  

Removing malware can be done using antivirus software, which can be downloaded free of charge and run a scan in real time. If you are already on the Emsisoft company forum, then the logical action would be to download the Emsisoft software and check the system or all drives that are connected. Test results can be added to the message and Emsisoft specialists will help with the analysis of the results.

 

Thanks a lot for your great help sir.

You are one of the true AVENGERS who save the real world from ransomware and malware.

I use your Antivirus sir.

And please I kindly request you to create 100% successful way to decrypt avddon infected files.

There are many important files there.i spent a lot of time to create them.but in a few seconds that ransomware has spoiled my works.

Please sir please...I'm waiting for your answer.

  • Like 1

Share this post


Link to post
Share on other sites
16 hours ago, Amigo-A said:

I am waiting for the verification results. I have provided samples of files and malware, it remains to wait and hope. It is worse when they immediately say that "decoding by our forces is impossible."

Sir, thank you very very much for following up.

I have a question, is it possible to find a clue or a key for decryption from the avaddon virus file? 

Share this post


Link to post
Share on other sites

Specialists of several companies (Emsisoft, DrWeb) are working on decryption of files that are encrypted by Avaddon.
There are currently no decryptors and successful decryption methods without paying a pay for ransom.

  • Thanks 2

Share this post


Link to post
Share on other sites
5 hours ago, Amigo-A said:

Specialists of several companies (Emsisoft, DrWeb) are working on decryption of files that are encrypted by Avaddon.
There are currently no decryptors and successful decryption methods without paying a pay for ransom.

Dear Amigo-A sir/madam, I'm going to format my AVADDON infected pc totally and upgrade my windows.

So can I move and keep my most important AVADDON infected files to any flash or external harddrive?

After you create AVADDON decrypter, can I decrypt my flash moved AVADDON infected files?

are there any problems to decrypt infected files which moved from infected pc to another device (flash,external harddrive)?

Can I move my important AVADDON infected files from infected pc?    please answer....

Share this post


Link to post
Share on other sites

@Superman ABD

Usually yes, need move to other disk all encrypted files and a ransom note , because it contains a unique code.
In this case, I can’t say for sure, because not yet received results.

Most likely, you can move files and reinstall the system.

  • Thanks 1

Share this post


Link to post
Share on other sites
45 minutes ago, Amigo-A said:

@Superman ABD

Usually yes, need move to other disk all encrypted files and a ransom note , because it contains a unique code.
In this case, I can’t say for sure, because not yet received results.

Most likely, you can move files and reinstall the system.

Ok thank you sir.

Share this post


Link to post
Share on other sites
11 hours ago, Amigo-A said:

@Superman ABD

Usually yes, need move to other disk all encrypted files and a ransom note , because it contains a unique code.
In this case, I can’t say for sure, because not yet received results.

Most likely, you can move files and reinstall the system.

Sir! Can i keep other files(non ransomware affected files) in the same flash drive?

Are there any problems in this method?

Share this post


Link to post
Share on other sites

Don't reinstall Windows until we know for certain what is needed to decrypt files. If there is something other than what's contained in the encrypted files and the ransom notes that's necessary for decryption, then you could wipe that out by reinstalling Windows, thus making it impossible to decrypt your files.

For now just rely on Anti-Virus software to clean up the system. If you're not certain if it's clean, then let us know, and we can assist you.

  • Thanks 2

Share this post


Link to post
Share on other sites
9 hours ago, GT500 said:

Don't reinstall Windows until we know for certain what is needed to decrypt files. If there is something other than what's contained in the encrypted files and the ransom notes that's necessary for decryption, then you could wipe that out by reinstalling Windows, thus making it impossible to decrypt your files.

For now just rely on Anti-Virus software to clean up the system. If you're not certain if it's clean, then let us know, and we can assist you.

@GT500

but my important files are in other local disks,not in C.

So if I reinstall windows,that will not affect my encrypted files which are in other local disks. isn't it sir?

And I already use your antivirus.if this antivirus wiped the other things which need to decryption? What can I do sir?

Share this post


Link to post
Share on other sites

I did not have time to add this yesterday.

Avaddon ransomware and its operators do not care about decrypting files after paying the ransom. Most likely, they will receive a day and hide. This has already happened to those who paid the ransom. They received neither a decryptor nor a feedback. The page that should automatically propose this turned out to be inoperative - error 404.
This may be a temporary technical problem, but any such incident means that the extortionist will spit about your files. They need money, money, and again money.

Be careful! Do not let yourself be fooled!

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Amigo-A said:

I did not have time to add this yesterday.

Avaddon ransomware and its operators do not care about decrypting files after paying the ransom. Most likely, they will receive a day and hide. This has already happened to those who paid the ransom. They received neither a decryptor nor a feedback. The page that should automatically propose this turned out to be inoperative - error 404.
This may be a temporary technical problem, but any such incident means that the extortionist will spit about your files. They need money, money, and again money.

Be careful! Do not let yourself be fooled!

Ok thank you sir. I always trust you.and I'm waiting only for your AVADDON decrypter.I never trust them.

Please consider my request.

Shall I reinstall windows or not? because till AVADDON affect my pc,I used windows 7 professional.now it has expired and no secure.so I'm going to upgrade to 10.

Are there any problems to my important ransomware affected files by upgrade my windows?. Please sir ...answer.

Should I keep those files in same pc with same windows or can I move them to another disk?

  • Like 1

Share this post


Link to post
Share on other sites
On 6/25/2020 at 3:31 AM, Superman ABD said:

but my important files are in other local disks,not in C.

The ransomware doesn't need to put important information on the same hard drive/partition as the files it encrypted. This is why I recommend waiting to reinstall Windows.

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

The ransomware doesn't need to put important information on the same hard drive/partition as the files it encrypted. This is why I recommend waiting to reinstall Windows.

Ok sir I'm waiting for you .

But can you let me know about your results in decryption of AVADDON infected files?

Did you get any positive results in decryption of AVADDON files?

Share this post


Link to post
Share on other sites
20 hours ago, Superman ABD said:

Ok thank you sir. I always trust you.

I must say more precisely -> You trust Emsisoft
Personally, I only help a little to unmask the ransomware. hi.gif.64b712524827b256ad58239eb23f2292.gif
Download Image

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
57 minutes ago, Amigo-A said:

I must say more precisely -> You trust Emsisoft
Personally, I only help a little to unmask the ransomware. hi.gif.64b712524827b256ad58239eb23f2292.gif
Download Image
Download Image

For you it may "little",but for us your and emsisoft's service always biggest.

And sir please,can you react to my previous questions? Please sir I'm expecting your answer.

  • Thanks 1

Share this post


Link to post
Share on other sites

Hello. Information was sent to virus monitoring team, please, wait for reply. 

I received such a message from Dr.Web specialists. They are working on decryption.

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
8 hours ago, Amigo-A said:

Hello. Information was sent to virus monitoring team, please, wait for reply. 

I received such a message from Dr.Web specialists. They are working on decryption.

Ok thank you sir.keep working sir.all of we are waiting for you.

Share this post


Link to post
Share on other sites
9 hours ago, Amigo-A said:

Hello. Information was sent to virus monitoring team, please, wait for reply. 

I received such a message from Dr.Web specialists. They are working on decryption.

Sir, how to find my AVADDON ID is online or offline?

My AVADDON ID ends with " 0= ". Is it online or offline Id sir ?

Share this post


Link to post
Share on other sites

id.png.9cb376c504073a5dec20c5f109f9627e.png
Download Image

The ID is in the ransom note. It is not divided into online and offline, as is done in 'STOP Ransomware'.

At this point in time have been no public result of research yet. Or I haven’t seen him yet. 

Decryption without an original decryptor and private keys is a rather time-consuming process. Here you or we can’t somehow speed up the process or push decryption specialists. They will do everything they can and even more. You and we just need to wait for the results.

  • Thanks 1

Share this post


Link to post
Share on other sites
5 hours ago, Superman ABD said:

My AVADDON ID ends with " 0= ". Is it online or offline Id sir ?

The Online/offline ID thing only applies to the STOP/Djvu ransomware, as it uses pre-programmed credentials to encrypt files when it can't connect to its command and control servers so that the criminals can try to maximize their illicit income from victims paying the ransom.

  • Like 1

Share this post


Link to post
Share on other sites

Our malware analysts say this ransomware appears to be secure, and files will most likely not be decryptable.

  • Sad 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

The Online/offline ID thing only applies to the STOP/Djvu ransomware

For reference:
Previously, this method was still in CryptoMix Ransomware and some other ransomware. In the same way, it was possible to decrypt files encrypted offline with keys if the PC was disconnected from the Internet or the ransomware server was inaccessible. 

  • Thanks 1

Share this post


Link to post
Share on other sites

In regards to reinstalling Windows, we haven't found anything that would suggest you shouldn't do it, however it would be best to wait for Dr. Web to finish their analysis as well just in case they find a reason why reinstalling Windows would be bad.

  • Thanks 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

Our malware analysts say this ransomware appears to be secure, and files will most likely not be decryptable.

Sir ,what did you say😦? Please explain.my heart is bursting.

Can't I decrypt my very very important files anymore?

Share this post


Link to post
Share on other sites
20 hours ago, Superman ABD said:

Can't I decrypt my very very important files anymore?

That's what it looks like, however we recommend waiting for Dr. Web to complete their analysis just in case there was something we overlooked.

  • Sad 2

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

That's what it looks like, however we recommend waiting for Dr. Web to complete their analysis just in case there was something we overlooked.

 Ok sir.as soon as you get the results from Dr.web,please inform here sir.

All of we are expecting positive results.please sir....

Share this post


Link to post
Share on other sites
On 6/28/2020 at 1:38 PM, GT500 said:

That's what it looks like, however we recommend waiting for Dr. Web to complete their analysis just in case there was something we overlooked.

sir. did you get any good news from Dr.web about decrypting avaddon files? please sir, we are eagerly waiting for your answer sir.

Share this post


Link to post
Share on other sites
12 hours ago, Superman ABD said:

sir. did you get any good news from Dr.web about decrypting avaddon files? please sir, we are eagerly waiting for your answer sir.

You'll have to wait for @Amigo-A as I have no contacts at Dr. Web.

  • Thanks 1

Share this post


Link to post
Share on other sites

Key calculation is not finished yet, there are no final results. There is also no message that decryption is not possible, as is often the case.

 

  • Thanks 1

Share this post


Link to post
Share on other sites

For files that received the .avdn extension after encryption, I provided 2 different samples of the encryptor in DrWeb.
In the newer version, files already receive 'random' extensions. These are other samples of the encryptor. Most likely, newer ones will cardinally differ from earlier ones.

I contact Dr.Web specialists as a usual user. But I collect and provide all available information, encryptor samples and everything else that is needed.

Main link:  https://legal.drweb.com/encoder/?lng=en  Support works in 10 languages. 

Anyone can order a test decryption by providing:
- 5 different encrypted files and unencrypted original files;
- a original unedited ransom note.
No need to change anything in the files. 

If the victim has not previously used DrWeb products and there was no active DrWeb protection on his PC when the files were encrypted, then after a successful tested decrypt, you will need to purchase the Rescue Package for 150 euros. Support specialists will tell you what needs to be done.

 

  • Thanks 1

Share this post


Link to post
Share on other sites
56 minutes ago, Amigo-A said:

If the victim has not previously used DrWeb products and there was no active DrWeb protection on his PC when the files were encrypted, then after a successful tested decrypt, you will need to purchase the Rescue Package for 150 euros. Support specialists will tell you what needs to be done.

 

Sir, is this purchase essential one?

Because I already purchased another antivirus after the attack and it has long time to expire.

Won't they release the decryptor only?

Share this post


Link to post
Share on other sites
1 hour ago, Amigo-A said:

 

Anyone can order a test decryption by providing:
- 5 different encrypted files and unencrypted original files;
- a original unedited ransom note.
No need to change anything in the files. 

 

Sir. I have no unencrypted original files.because whole of my files have been encrypted by AVADDON.

What can I do sir?

Share this post


Link to post
Share on other sites
17 hours ago, Superman ABD said:

Sir, is this purchase essential one?

Because I already purchased another antivirus after the attack and it has long time to expire.

Won't they release the decryptor only?

Dr. Web does not release free decrypters. Their ransomware decryption service is strictly a paid service, however they will at least let you know if your files can be decrypted before they require you to pay anything.

 

17 hours ago, Superman ABD said:

Sir. I have no unencrypted original files.because whole of my files have been encrypted by AVADDON.

What can I do sir?

If they do require a file pair, then you'll need to find one. Try to remember if you ever sent any files to others (via e-mail, file sharing services, etc) or if you ever saved them to any kind of external media (CD's, DVD's, USB flash drives, etc).

  • Thanks 1

Share this post


Link to post
Share on other sites

DrWeb has been producing free decoders for many years, and was the first to start doing it. He continues to do free decryption for his licensed users around the world. 
Test decryption is done for free. It is better, than paying first, and then saying that decryption is impossible. 
I made a request — separately the decryption service is not provided. Only within the scope of 'Rescue Package'. 
Now more computing power is required to provide a decryption service, therefore it cannot be absolutely free to all affected users.

  • Like 1

Share this post


Link to post
Share on other sites

Necessary requirements are indicated on the page https://legal.drweb.com/encoder/?lng=en and in the form of sending files, they can be attached to the message.
For different decryption, different elements may be needed. File pairs may not be needed if there is an encoder file that was found. But what will happen in each case, I do not know.

You can try to send only encrypted files and a note with ID.
The encoder name in the DrWeb database is Trojan.DownLoader33.50335, Trojan.DownLoader33.59028 
SHA-256: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 
SHA-256: fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6

But you can only specify a link to the article. It has both earlier and newer Avaddon Ransomware samples.

 

  • Thanks 1

Share this post


Link to post
Share on other sites
12 hours ago, Amigo-A said:

Necessary requirements are indicated on the page https://legal.drweb.com/encoder/?lng=en and in the form of sending files, they can be attached to the message.
For different decryption, different elements may be needed. File pairs may not be needed if there is an encoder file that was found. But what will happen in each case, I do not know.

You can try to send only encrypted files and a note with ID.
The encoder name in the DrWeb database is Trojan.DownLoader33.50335, Trojan.DownLoader33.59028 
SHA-256: 05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 
SHA-256: fa4626e2c5984d7868a685c5102530bd8260d0b31ef06d2ce2da7636da48d2d6

But you can only specify a link to the article. It has both earlier and newer Avaddon Ransomware samples.

 

Sir, I sent a request to this page https://legal.drweb.com/encoder/?lng=en and attached my encrypted files which got infected by avaddon but they said that files got encrypted by 'Medusalocker' And can not decrypt them whereas my files have '.avdn' extension.

What's the problem? I can not decrypt my files? 

Thank you in advance

Share this post


Link to post
Share on other sites
8 hours ago, Blkrt said:

Sir, I sent a request to this page https://legal.drweb.com/encoder/?lng=en and attached my encrypted files which got infected by avaddon but they said that files got encrypted by 'Medusalocker' And can not decrypt them whereas my files have '.avdn' extension.

What's the problem? I can not decrypt my files? 

Thank you in advance

It's possible your files were encrypted by one ransomware, and then encrypted by another as well. We wouldn't be able to tell for certain without seeing an encrypted file and a copy of the ransom note.

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

It's possible your files were encrypted by one ransomware, and then encrypted by another as well. We wouldn't be able to tell for certain without seeing an encrypted file and a copy of the ransom note.

Sir, how can I specify that my files were encrypted by one or two ransomware?

Is it possible to decrypt them?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.