Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free.
BleepingComputer's Lawrence Abrams said he was sent an anonymous email with a password and link to a ZIP file named, "Decryption Keys Ransomware Avaddon."
The file had decryption keys for 2,934 victims of the Avaddon ransomware. The startling figure is another example of how many organizations never disclose attacks, as some reports have previously attributed just 88 attacks to Avaddon.
Abrams worked with Emsisoft chief technology officer Fabian Wosar and Coveware's Michael Gillespie to check the files and verify the decryption keys. Emsisoft created a free tool that Avaddon victims can use to decrypt files.
Ransomware gangs -- like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy -- have at times released decryption keys and shut down for a variety of reasons. A free Avaddon decryption tool was released by a student in Spain in February but the gang quickly updated their code to make it foolproof again.
"This isn't new and isn't without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations," Wosar told ZDNet.
"Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated."
Wosar added that the people behind Avaddon had probably made enough money doing ransomware that they had no reason to continue.
According to Wosar, ransom negotiators have been noticing an urgency when dealing with Avaddon operators in recent weeks. Negotiators with the gang are caving "instantly to even the most meager counter offers during the past couple of days."
"So this would suggest that this has been a planned shutdown and winding down of operations and didn't surprise the people involved," Wosar explained.
Data from RecordedFuture has shown that Avaddon accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. An eSentire report on ransomware said Avaddon was first seen in February 2019 and operated as a ransomware-as-a-service model, with the developers giving affiliates a negotiable 65% of all ransoms.
"The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom," the report said.
"What's interesting about this ransomware group is the design of its Dark Web blog site. They not only claim to provide full dumps of their victims' documents, but they also feature a Countdown Clock, showing how much time each victim has left to pay. And to further twist their victims' arms, they threaten to DDoS their website if they don't agree to pay immediately."
The group has a lengthy list of prominent victims that include Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government's airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington and others.
The gang made a note of publishing the data stolen during ransomware attacks on its dark web site, DomainTools researcher Chad Anderson told ZDNet last month.
Both the FBI and the Australian Cyber Security Centre released notices last month warning healthcare institutions about the threat of Avaddon ransomware.
The notice said "Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered ('Avaddon General Decryptor') if payment is made."
The group was also implicated in multiple attacks on manufacturing companies across South America and Europe, according to the Australian Cyber Security Centre.
Cybersecurity firm Flashpoint said that alongside REvil, LockBit, and Conti, Avaddon was one of the most prolific ransomware groups currently active.
Digital Shadows' Photon Research Team told ZDNet in May that a forum representative for the Avaddon ransomware took to the Exploit forum to announce new rules for affiliates that included bans on targeting "the public, education, healthcare, and charity sectors."
The group also banned affiliates from attacking Russia or any other CIS countries. US President Joe Biden is expected to press Russian President Vladimir Putin on ransomware attacks at a summit in Geneva on June 16.