As further proof of closing shop, the group has sent decryption keys for almost 3000 of their victims to Lawrence Abrams of Bleeping Computer (opens in new tab).
Abrams worked with Fabian Wosar, CTO of cybersecurity (opens in new tab) vendor Emsisoft (opens in new tab), and Michael Gillespie of ransomware recovery consultants Coveware, to verify the decryption keys. Emsisoft then rolled the keys in a free tool (opens in new tab) that Avaddon victims can use to decrypt their files.
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
"This isn't new and isn't without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations," Wosar told ZDNet (opens in new tab).
Scale of operations
Wosar further states that the key database suggests that Avaddon had attacked a total of 2934 victims. He says the threat actors on average demanded around $600,000 from their victims, which even after negotiations would have generated quite a lot of money for Avaddon.
Analyzing Avaddon's recent interactions, Wosar suggests the move appears planned. The Avaddon operators exhibited an uncharacteristic urgency in recent ransom negotiations, and seemed to agree to even the most meager counter offers during the past couple of days.
"So this would suggest that this has been a planned shutdown and winding down of operations,” Wosar told ZDNet.
Although the group hasn’t revealed their reasons for the shutdown, it appears the US' recent toughened stance (opens in new tab) and the UK's posturing against ransomware operators (opens in new tab), including mounting pressure on the governments under whose jurisdictions these threat actors operate, has had a bearing on the wind up.
What’s surprising about the whole exercise though is the total number of victims. A report from cybersecurity vendor eSentire attributes (opens in new tab) only 88 attacks to Avaddon based on the number of disclosures by victims. However, the release of the 2934 keys is clear indication that a staggering majority of the victims shy away from reporting ransomware attacks.
- Protect your devices with these best antivirus software (opens in new tab)