Operators of the ransomware Avaddon stopped working and provided the Bleeping Computer with the keys to decrypt the victims’ data.
On the morning of June 11, 2021, journalists received an anonymous tip (allegedly from the FBI) on a password-protected ZIP file (Decryption Keys Ransomware Avaddon), as well as a password from it. The archive contained three files shown in the screenshot below.
After showing the received files to experts, Fabian Vosar from Emsisoft and Michael Gillespie from Coveware, the journalists established that the decryption keys they received were legitimate.
In total, the attackers sent the publication 2,934 keys to decrypt data, each of which corresponds to a specific victim. Emsisoft experts are already working on a free data decryption tool, which they promise to release within the next 24 hours or even earlier ( UPD : decryptor published ).
All Avaddon sites are currently unavailable and it looks like the ransomware has stopped working. Moreover, according to journalists, in recent days, firms engaged in negotiations with extortionists have noted the insane rush of Avaddon operators, who were in a great hurry to complete all ransom payments. The hackers pressured the victims to pay as quickly as possible, and the counter offers of the “negotiators” remained unanswered.
Most likely, the shutdown of Avaddon is due to increased attention from law enforcement agencies and governments around the world, which are seriously interested in ransomware after the recent attacks on critical infrastructure and companies Colonial Pipeline and JBS .
“Recent actions by law enforcement have made some attackers nervous and here is the result. One has dropped out, and hopefully others will soon follow, ”Emsisoft analyst Brett Callow commented to Bleeping Computer.
The publication notes that the publication of keys to decrypt data is not at all unprecedented. In the past, malware operators TeslaCrypt, Crysis, AES-NI, Shade, FilesLocker, Ziggy, and FonixLocker have released the keys.