Avaddon ransomware shuts down, distributes thousands of decryption keys

Ransomware
(Image credit: Shutterstock)

The infamous Avaddon ransomware group, which by some accounts has been one of the most prolific in 2021, has apparently shut down its operations.

As further proof of closing shop, the group has sent decryption keys for almost 3000 of their victims to Lawrence Abrams of Bleeping Computer.

Abrams worked with Fabian Wosar, CTO of cybersecurity vendor Emsisoft, and Michael Gillespie of ransomware recovery consultants Coveware, to verify the decryption keys. Emsisoft then rolled the keys in a free tool that Avaddon victims can use to decrypt their files. 

"This isn't new and isn't without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations," Wosar told ZDNet

Scale of operations

Wosar further states that the key database suggests that Avaddon had attacked a total of 2934 victims. He says the threat actors on average demanded around $600,000 from their victims, which even after negotiations would have generated quite a lot of money for Avaddon.

Analyzing Avaddon's recent interactions, Wosar suggests the move appears planned. The Avaddon operators exhibited an uncharacteristic urgency in recent ransom negotiations, and seemed to agree to even the most meager counter offers during the past couple of days. 

"So this would suggest that this has been a planned shutdown and winding down of operations,” Wosar told ZDNet. 

Although the group hasn’t revealed their reasons for the shutdown, it appears the US' recent toughened stance and the UK's posturing against ransomware operators, including mounting pressure on the governments under whose jurisdictions these threat actors operate, has had a bearing on the wind up.

What’s surprising about the whole exercise though is the total number of victims. A report from cybersecurity vendor eSentire attributes only 88 attacks to Avaddon based on the number of disclosures by victims. However, the release of the 2934 keys is clear indication that a staggering majority of the victims shy away from reporting ransomware attacks.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.