Avaddon Ransomware (.avdn File) Removal Guide

Written by Wilbur Woodham

What is Avaddon Ransomware?

The Avaddon ransomware encrypts user data using AES-256 and RSA-2048, and then requires a ransom of $150 to $350 or more in BTC in order to return the files.

The distribution of this ransomware began in early June 2020. For the first time, Avaddon Ransomware was presented at one of the hacker forums that we know but do not want to “advertise” it again. And the extortionists themselves seem familiar to me, although they “write” their “creations” every time from scratch, the style and other elements of their “creativity” are easily guessed.

Avaddon Ransomware is targeted at users of several languages, contributing to the greatest distribution around the world. Judging by the ransomware onion site, these will be the following languages: English, German, Spanish, French, Italian, Portuguese, Chinese, Japanese, Korean.

Avaddon Ransomware ― Summary

NameAvaddon Virus
Extension.avdn file virus
TypeRansomware
RansomFrom $150 to $350
DetectionRansom:Win32/Avaddon.PA!MTB
Short DescriptionThe ransomware modifies the documents on the attacked device through encryption and asks for the ransom to be paid by the victim supposedly to restore them.
SymptomsThe file virus encrypts the data by adding the .avdn extension, also generating the one-of-a-kind identifier. Note that the .avdn extension becomes the secondary one.
Distribution MethodIt can be spread by hacking through an insecure RDP configuration, using email spam (the subject line of the message “Your new photo?” Or “Do you like my photo?”) And malicious attachments (for example, Image.jpg.js.zip), fraudulent downloads , botnets (Phorphiex / Trik), exploits, malicious ads, web injects, fake updates, repackaged and infected installers.
Technical InfoWritten in C ++ using WinAPI. AES-256 and RSA-2048. Designed for Windows 7-10.
Fix ToolSee If Your System Has Been Affected by .avdn file virus

Avaddon virus

Avaddon ― Spam campaign

What Is It and How Did I Get It?

The new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide. The first attack of the Avaddon is being in a spam campaign reminiscent of Nemty Ransomware.

In a wave of emails using subjects like “Your new photo?” or “Do you like my photo?” containing nothing but a winking smiley face, a JavaScript downloader for the Avaddon ransomware is being distributed.1

Emails using subjects like "Your new photo?" or "Do you like my photo?" - Avaddon ransomware

Emails using subjects like “Your new photo?” or “Do you like my photo?” – Avaddon ransomware

That means to the recipient, it would just appear as a .jpg file, as shown below.

Attached to these emails is a JavaScript file masquerading as a JPG photo with names like IMG145673.jpg. It is important to remember that Windows hides file extension by default, even though it is a known security risk.

JavaScript file displayed as a JPG

Avaddon Ransomware

Infected PC Details

The ransom note is known by its well-known pattern: [number]-readme.html

Quotation of the scary message

Your network has been infected by Avaddon
All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software - Avaddon General Decryptor. Only we can give you this software and only we can restore your files!
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
Download Tor browser - https://www.torproject.org/
Install Tor browser
Open link in Tor browser - avaddonbotrxmuyl.onion
Follow the instructions on this page
Your ID:
NDctTkFiSm8ycFVVdGxRV3ZhVVl6Rmt0V3NEY***
DO NOT TRY TO RECOVER FILES YOURSELF!
DO NOT MODIFY ENCRYPTED FILES!
OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER!

Replaces the wallpaper on the desktop with a pixel image with text urging you to read the instructions.

All your files has been encrypted
Instruction XXXXXX-readme.html

The main informant of the victim, in addition to the ransom note, is the ransomware site, where there is a page with a timer with a QR code for payment.

The first page content:

Your network has been infected by Avaddon
Don't worry, we can help you to restore all your files!
Avaddon General Decryptor price is 150 USD*
4 : 00 : 00 : 00
*If you don’t pay before the time runs out, the price will be doubled!
All your documents, photos, databases and other important files have been encrypted!
To restore all your files you need to buy our special software - Avaddon General Decryptor!
You can do it right now. Follow the instruction below. But remember that you do not have much time!
150 USD
≈ 0.01628378 BTC
3Pg4atmvjJTE8nqFqzQ5Pug1SCtyKSuviy
NOT PAID
1. Buy the Bitcoin cryptocurrency. You will find instructions how you can do it below.
2. Send 0.01628378 BTC to the address: 3Pg4atmvjJTE8nqFqzQ5Pug1SCtyKSuviy (in ONE payment, this amount doesn’t include the transaction fee)
3. The transaction will be confirmed after receiving 6 confirmations
4. When the payment is confirmed, you can download the Avaddon General Decryptor.
Attention!
Please be careful and visually check the address after copy-paste (because on your PC there is probably a malware monitoring and changing the address in your clipboard)

Avaddon ransomware

The second page content:

- What's the matter?
Your computer has been infected with Avaddon Ransomware. All your files have been encrypted and you are not able to decrypt it by yourself. To decrypt your files, you have to buy the Avaddon General Decryptor.

- What can I do to get my files back?
You should buy the software Avaddon General Decryptor. It will scan your PC, network share, all connected devices, and check for encrypted files and decrypt them. Current price: 150 USD. We accept the Bitcoin cryptocurrency.

- What guarantees can you give me?
To make sure that our descriptor is working, you can decrypt 3 files for free. But these files must be images because images usually are not valuable.

Avaddon Virus

Remove Avaddon Ransomware

Reasons why I would recommend GridinSoft2

The is an excellent way to deal with recognizing and removing threats – using Gridinsoft Anti-Malware. This program will scan your PC, find and neutralize all suspicious processes3.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your system.

install-antimalware-fix.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your system for Avaddon infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has finished, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to remove Avaddon Ransomware?

Name: Avaddon Ransomware

Description:

The Avaddon ransomware encrypts user data using AES-256 and RSA-2048, and then requires a ransom of $150 to $350 or more in BTC in order to return the files.

The distribution of this ransomware began in early June 2020. For the first time, Avaddon Ransomware was presented at one of the hacker forums that we know, but do not want to "advertise" it again. And the extortionists themselves seem familiar to me, although they “write” their “creations” every time from scratch, the style and other elements of their "creativity" are easily guessed.

Operating System: Windows

Application Category: Ransomware

Sending
User Review
4.51 (37 votes)
Comments Rating 0 (0 reviews)

References

  1. Read more about it here: https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/
  2. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  3. More information about GridinSoft products: https://gridinsoft.com/comparison

About the author

Wilbur Woodham

I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

One Response

  1. paul June 26, 2020

Leave a Reply

Sending