The Avaddon ransomware gang has shut down its operations and released the decryption keys to allow victims to recover their files for free.
Good news for the victims of the Avaddon ransomware gang, the cybercrime group has shut down its operations and provided the decryption keys to BleepingComputer website.
The group has also shut down its servers and deleted profiles on hacking forums, they also shut down their leak site.
This morning, BleepingComputer received a message from a source that was pretending to be the FBI that included a password and a link to a password-protected ZIP archive.
BleepingComputer shared the decryption keys with the security firm Emsisoft, which has released in the past free decryptors for multiple pieces of ransomware.
PSA: Avaddon appears to have shut down and released 2934 private keys of victims. A public Emsisoft decryption tool is coming soon. Do not pay. If you are a victim and want to know if your files can be decrypted, please reach out to [email protected]. Thanks.
— Fabian Wosar (@fwosar) June 11, 2021
The security company already develop a free decryptor for the victims of the Avaddon ransomware.
“The Avaddon ransomware encrypts victim’s files using AES-256 and RSA-2048, and appends a random extension.” states Emsisoft.
We've just released a decryptor for #Avaddon #ransomware. https://t.co/4i7nexkT2U
— Emsisoft (@emsisoft) June 11, 2021
The decryptor allows the victims of the Avaddon ransomware to decrypt their files for free. The ransomware gang was active since June 2020, it was delivering its threat via malspam campaigns.
In the aftermath of the closing of the operation of Darkside gang, the Avaddon gang made the headlines by targeting multiple organizations in collaboration with the Conti gang.
“Furthermore, ransomware negotiation firms and incident responders saw a mad rush by Avaddon over the past few days to finalize ransom payments from existing unpaid victims Coveware CEO Bill Siegel has told BleepingComputer that Avaddon’s average ransom demand was around $600k.” reported BleepingComputer. “However, over the past few days, Avaddon has been pressuring victims to pay and accepting the last counteroffer without any push back, which Siegel states is abnormal.”
In May, the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) warned of an ongoing Avaddon ransomware campaign targeting organizations worldwide in multiple industries, including government, finance, energy, manufacturing, and healthcare.
The alert published by the ACSC provides a list of countries under attack which includes the US, UK, Germany, France, China, Italy Brazil, India, UAE, France, and Spain.
“The Australian Cyber Security Centre (ACSC) is aware an ongoing ransomware campaign utilising the Avaddon Ransomware malware. This campaign is actively targeting Australian organisations in a variety of sectors.” reads the alert published by ACSC. “The ACSC is aware of several instances where the Avaddon ransomware has directly impacted organisations within Australia.”
This advisory includes details about Techniques, Tools, and Procedures (TTPs) associated with the Avaddon group.
Experts speculate that the group was not completely retired, instead they are rebranding their operations.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine