As further proof of closing shop, the group has sent decryption keys for almost 3000 of their victims to Lawrence Abrams of Bleeping Computer.
Abrams worked with Fabian Wosar, CTO of cybersecurity vendor Emsisoft, and Michael Gillespie of ransomware recovery consultants Coveware, to verify the decryption keys. Emsisoft then rolled the keys in a free tool that Avaddon victims can use to decrypt their files.
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Here's our choice of the best malware removal software on the market
"This isn't new and isn't without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations," Wosar told ZDNet.
Scale of operations
Wosar further states that the key database suggests that Avaddon had attacked a total of 2934 victims. He says the threat actors on average demanded around $600,000 from their victims, which even after negotiations would have generated quite a lot of money for Avaddon.
Analyzing Avaddon's recent interactions, Wosar suggests the move appears planned. The Avaddon operators exhibited an uncharacteristic urgency in recent ransom negotiations, and seemed to agree to even the most meager counter offers during the past couple of days.
"So this would suggest that this has been a planned shutdown and winding down of operations,” Wosar told ZDNet.
Although the group hasn’t revealed their reasons for the shutdown, it appears the US' recent toughened stance and the UK's posturing against ransomware operators, including mounting pressure on the governments under whose jurisdictions these threat actors operate, has had a bearing on the wind up.
What’s surprising about the whole exercise though is the total number of victims. A report from cybersecurity vendor eSentire attributes only 88 attacks to Avaddon based on the number of disclosures by victims. However, the release of the 2934 keys is clear indication that a staggering majority of the victims shy away from reporting ransomware attacks.
- Protect your devices with these best antivirus software