Avaddon Ransomware Gang Shuts Down Operation and Releases Decryption Keys

Avaddon ransomware is no more. The operation has been shut down and decryptors have been released that allow victims to recover their files free of charge.

On June 11, 2021, Bleeping Computer received an anonymous tip which appeared to have come from the FBI and included a link to a password protected ZIP file and a password. The file included 2,934 decryption keys for Avaddon ransomware – all outstanding victims that have not yet paid the ransom.

Fabian Wosar of Emsisoft and Michael Gillespie of Coveware were sent copies of the files and confirmed the decryption files to be legitimate, with Emsisoft now having released a free decryptor that all victims of Avaddon ransomware attacks can use free of charge to recover their files.

Avaddon ransomware first appeared in June 2020 and has since grown into a major ransomware operation. While the reason for the shutdown has not been confirmed, it appears that the fallout from the ransomware attack on Colonial Pipeline by the DarkSide ransomware operation may have spooked the Avaddon operators.

Following the attack, the BitMix cryptocurrency mixing service used by Avaddon to launder the ransom payments was shut down and law enforcement has stepped up efforts to tackle the ransomware threat. Following the attack, the Avaddon gang issued a joint statement with the REvil ransomware gang stating they were changing their rules and were barring their affiliates from conducting attacks on government, healthcare, educational and charity organizations. Since then, and prior to the shutdown of the operation, the gang has reportedly been piling pressure on victims to pay up ahead of what appears to have been a planned shutdown of the operation.

The ransomware attack on Colonial Pipeline disrupted fuel supplies to the Eastern Seaboard in the United States for a week, with a subsequent attack on JBS threatening food production at plants in the United States.

Following the Colonial Pipeline ransomware attack, the U.S. government has stepped up efforts to tackle the growing ransomware problem, with ransomware moved from being simply a criminal matter to a threat to national security. The recent attacks have threatened the health and wellness of all Americans and are now seen as terrorist acts, the consequences of which for attackers are far more severe.

One of the initiatives launched by President Biden is the creation of a global coalition that will hold countries that shelter ransomware criminals accountable. Many ransomware gangs are believed to operate out of Russia, and while these operations may not be state sponsored, there is a common belief that the Russian government turns a blind eye to the criminal activity provided attacks are not conducted within Russia.  Many ransomware variants have been configured to terminate and delete if installed on devices in Russia.

At the G7 summit in the UK over the past few days, the G7 leaders turned up the heat on Russia and Vladimir Putin by issuing a communique demanding action be taken by Russia against individuals based in the country who conduct cyberattacks involving ransomware. The communique called for Russia to “hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”

President Biden is due to meet Vladimir Putin at the Geneva Summit on June 16, and ransomware will be a topic of conversation. It remains to be seen what action, if any, will be taken by Russia against ransomware gangs operating within the country. Avaddon may be one of the first to shut down, but others may well follow over the coming days, weeks, and months.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news