Avaddon ransomware shuts down, distributes thousands of decryption keys

(Image credit: Shutterstock)
Audio player loading…

The infamous Avaddon ransomware (opens in new tab) group, which by some accounts (opens in new tab) has been one of the most prolific in 2021, has apparently shut down its operations.

As further proof of closing shop, the group has sent decryption keys for almost 3000 of their victims to Lawrence Abrams of Bleeping Computer (opens in new tab).

Abrams worked with Fabian Wosar, CTO of cybersecurity (opens in new tab) vendor Emsisoft (opens in new tab), and Michael Gillespie of ransomware recovery consultants Coveware, to verify the decryption keys. Emsisoft then rolled the keys in a free tool (opens in new tab) that Avaddon victims can use to decrypt their files. 

"This isn't new and isn't without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations," Wosar told ZDNet (opens in new tab)

Scale of operations

Wosar further states that the key database suggests that Avaddon had attacked a total of 2934 victims. He says the threat actors on average demanded around $600,000 from their victims, which even after negotiations would have generated quite a lot of money for Avaddon.

Analyzing Avaddon's recent interactions, Wosar suggests the move appears planned. The Avaddon operators exhibited an uncharacteristic urgency in recent ransom negotiations, and seemed to agree to even the most meager counter offers during the past couple of days. 

"So this would suggest that this has been a planned shutdown and winding down of operations,” Wosar told ZDNet. 

Although the group hasn’t revealed their reasons for the shutdown, it appears the US' recent toughened stance (opens in new tab) and the UK's posturing against ransomware operators (opens in new tab), including mounting pressure on the governments under whose jurisdictions these threat actors operate, has had a bearing on the wind up.

What’s surprising about the whole exercise though is the total number of victims. A report from cybersecurity vendor eSentire attributes (opens in new tab) only 88 attacks to Avaddon based on the number of disclosures by victims. However, the release of the 2934 keys is clear indication that a staggering majority of the victims shy away from reporting ransomware attacks.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.