Avaddon Ransomware Group Closes Down Its Operations and Issues Decryption Keys

On June 11, the Avaddon ransomware-as-a-service operation was deactivated and the threat group gave the decryption keys for all its victims. Bleeping Computer received a message with a security password and a URL to a password secured ZIP file that included the individual keys for 2,934 Avaddon ransomware attack victims. The keys were affirmed as legit by Emsisoft and Coveware, with the former right now having revealed a free decryptor that could be employed by all Avaddon ransomware victims to decrypt their data files.

Avaddon is a rather new ransomware-as-a-service operation that initiated in March 2020. The threat group responsible for the operation hired affiliates to perform attacks and gave them a website through which they may generate copies of the ransomware to perform their own ransomware attacks. All ransoms made were then provided to the affiliate and also the RaaS operator.

It is not unusual for RaaS operations to unexpectedly discontinue and give the keys to victims that haven’t paid, yet the timing of the closing implies the RaaS operator might have become worried with the heightened emphasis of governing bodies and law enforcement bureaus on ransomware groups.

Subsequent to the attacks on JBS and Colonial Pipeline, the White House directed the Department of Justice to focus its work on ransomware inspections and address attacks like terrorist attacks. Deputy press secretary Karine Jean-Pierre of the White House stated that it will furthermore be presenting the message that responsible states should not harbor ransomware criminals and that it is going to be communicating with the Russian government to convince it to act on ransomware gangs that are in the country.

The G7 countries likewise determined to act on ransomware attacks and given a communique asking Russia and other nations that may have ransomware groups to take action to distinguish, break up, and hold persons responsible for carrying out ransomware attacks, using virtual currency for laundering ransom, and perform other cybercrimes. President Biden is additionally likely to speak to Vladimir Putin during the Geneva summit on June 16 with regards to ransomware gangs from Russia.

Subsequent to the DarkSide ransomware attack on Colonial Pipeline that disturbed the supply of fuel to the eastern seaboard, the DarkSide ransomware gang declared it was closing down. The REvil and Avaddon groups gave a joint announcement saying they were replacing their policies and wouldn’t permit its affiliates to carry out ransomware attacks on critical infrastructure organizations, governing bodies, healthcare agencies, and educational bodies. It would seem that this wasn’t good enough for the Avaddon ransomware group. It remains to be proven if the operation has been closed down once and for all or if the ransomware operator is merely laying low temporarily. It’s not odd for ransomware operations to close down then rebrand and restart their attacks a few weeks or months after.

Emsisoft threat analyst Brett Callow explained to Bleeping Computer that the latest activities by police authorities have made certain threat groups concerned: this is the effect. Hopefully, many others will stop too.