Avaddon Ransomware Operation Shuts Down and Gives Decryption Keys

The Avaddon ransomware-as-a-service operation was stopped on June 11 and the threat group gave to all its victims the decryption keys. Bleeping Computer was given an email containing a password and a hyperlink to a password-protected ZIP file. The file contained the private keys for 2,934 of Avaddon’s ransomware attack victims. The keys were verified as genuine by Emsisoft and Coveware, with the former currently having given a free decryptor that may be utilized by all Avaddon ransomware attack victims to decrypt their documents.

Avaddon is a fairly new ransomware-as-a-service operation that began in March 2020. The threat group behind the operation got affiliates to carry out attacks and provided them with a site through which they can create copies of the ransomware to do their own cyberattacks. All ransoms created were then distributed to the affiliate as well as the RaaS operator.

It is common for RaaS operations to instantly cease and release the keys for victims that have not yet given payment, however, the timing of the deactivation indicates the RaaS operator may have gotten anxious with the elevated focus of government authorities and law enforcement agencies on ransomware gangs.

After the JBS and Colonial Pipeline ransomware attacks, the White House instructed the Department of Justice to centralize its efforts on ransomware investigations and consider attacks similar to terrorist attacks. Deputy press secretary Karine Jean-Pierre of the White House mentioned that it would likewise be giving the message that responsible states ought not to foster ransomware criminals and that it will be engaging with the Russian government to persuade it to take action against ransomware groups that operate in the country.

The G7 nations furthermore committed to doing something on ransomware attacks and released a statement calling on Russia and other nations possibly harboring ransomware gangs to make a move to distinguish, disrupt, and make individuals accountable for performing ransomware attacks, abusing virtual currency for ransom laundering, and conduct other cybercrimes. President Biden is likewise anticipated to talk to Vladimir Putin at the Geneva summit on June 16 concerning ransomware groups operating from Russia.

Right after the DarkSide ransomware attack on Colonial Pipeline that interrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang stated it was shutting down. The REvil and Avaddon gangs released a joint declaration saying they were changing their regulations and won’t allow their affiliates to perform ransomware attacks on critical infrastructure companies, governments, healthcare companies, and educational organizations. It would look like that this was not sufficient for the Avaddon ransomware group. It remains to be seen whether the operation has been shut down completely or if the operator of the ransomware is simply laying low for some time. It isn’t unusual for ransomware operations to stop then rebrand and begin their attacks a couple of weeks or months later.

Emsisoft threat analyst Brett Callow explained to Bleeping Computer that the present actions by law enforcement have made some attackers worried; this is the outcome. Let’s wish others will go down too.