Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files.

Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator.

It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of governments and law enforcement agencies on ransomware gangs.

Following the ransomware attacks on JBS and Colonial Pipeline attack, the White House ordered the Department of Justice to centralize its approach to ransomware investigations and treat attacks in the same way as terrorist attacks. White House deputy press secretary Karine Jean-Pierre said it would also be “delivering the message that responsible states do not harbor ransomware criminals,” and will be engaging with the Russian government to try to get action taken against ransomware gangs that operate in the country.

The G7 nations also committed to take action on ransomware attacks and issued a communique calling on Russia and other countries that may harbor ransomware gangs to take steps to identify, disrupt, and hold individuals to account who are conducting ransomware attacks, abusing virtual currency to launder ransom, and commit other cybercrimes. President Biden is also expected to speak with Vladimir Putin at the Geneva summit on June 16 about ransomware gangs operating out of Russia.

Following the DarkSide ransomware attack on Colonial Pipeline that disrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang announced it was shutting down. The REvil and Avaddon gangs issued a joint statement saying they were updating their rules and would not permit its affiliates to conduct ransomware attacks on critical infrastructure firms, governments, healthcare organizations, and educational institutions. It would appear that this was not enough for the Avaddon ransomware gang. It remains to be seen whether the operation has permanently been shut down or if the operator of the ransomware is just laying low for a while. It is not uncommon for ransomware operations to shut down then rebrand and recommence their attacks several weeks or months later.

“The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too,” said Emsisoft threat analyst Brett Callow to Bleeping Computer.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.