The Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that it is going out of business and giving thousands of victims a free decryption tool.
Lawrence Abrams of BleepingComputer claims to have received an anonymous email containing a password and a link to a ZIP file named “Decryption Keys Ransomware Avaddon”.
The file contained the decryption keys of 2,934 victims of the Avaddon ransomware. This startling figure illustrates the fact that many organizations never disclose attacks: some articles previously attributed only 88 attacks to the Avaddon group.
A free tool for Avaddon victims
Lawrence Abrams worked with Fabian Wosar, CTO of Emsisoft, and Michael Gillespie, of Coveware, to verify files and decryption keys. Emsisoft has created a free tool that victims of Avaddon can use to decrypt their files.
Ransomware groups – like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy – have sometimes released decryption keys and gone out of business for various reasons. A free Avaddon decryption tool was released by a student in Spain in February, but the group quickly updated their malware to make it foolproof again.
“This situation is not new and is not without precedent. Several malicious actors released the key database or master keys when they decided to end their operations, ”Fabian Wosar told . “In the end, the key database we obtained suggests they had at least 2,934 victims. Considering that the average Avaddon ransom is around $ 600,000 and the average payment rates for ransomware, you can probably come up with a decent estimate of what Avaddon has made. “
A planned shutdown
Fabian Wosar adds that the people behind Avaddon have probably made enough money from ransomware that they have no reason to continue. Ransom negotiators have noticed some urgency in their negotiations with Avaddon operators in recent weeks, he said. The group gave in “instantly to the meager counter-offers of the past two days”. “So this suggests that this was a planned shutdown and winding-up of operations and that it did not surprise those involved,” he explains.
Data from RecordedFuture show that Avaddon has been responsible for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. Ransomware report from eSentire says Avaddon was first seen in February 2019 and operated on a ransomware-as-a-service model, with software developers giving affiliates a marketable percentage of 65% of all ransoms.
“Members of the Avaddon group are also expected to offer their victims 24/7 support and resources on buying bitcoin, testing files for decryption, and other challenges that can prevent victims to pay the ransom, ”the report says. “What’s interesting about this ransomware group is the design of their Dark Web blog site. Not only do they claim to provide a full archive of their victims’ documents, they also feature a countdown clock, showing how much time each victim has left to pay. And to put even more pressure on their victims, they threaten to launch DDoS on their website if they don’t agree to pay immediately. “
Leading victims
DomainTools.
The group has a long list of leading victims, including Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, Latvian insurance broker Percival, the Indonesian government airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington, etc.
The FBI and the Australian Cyber Security Center issued advisories last month warning healthcare institutions of the threat of the Avaddon ransomware.
Digital Shadows’ Photon research team told in May that a representative of the Avaddon ransomware had taken to the Exploit forum to announce new rules for its supporters, including a ban on targeting “the public, educational sectors. , health and charity ”.
The group also banned affidavits from attacking Russia or any other CIS country. US President Joe Biden is expected to pressure Russian President Vladimir Putin over ransomware attacks at a summit in Geneva on June 16.
Source: .com