Avaddon ransomware operators appear to have had an apparent change of heart. They recently announced to abandon their operations and released the decryption keys for all the victims.
The Avaddon gang has shared decryption keys, with Bleeping Computer, shrouded in an anonymous tip pretending to be from the FBI.
The file received by the Bleeping team titled Decryption Keys Ransomware Avaddon contained 2,934 decryption keys in three files.
The team soon shared it with Emsisoft, who confirmed the legitimacy of the keys.
In the past, several ransomware groups such as TeslaCrypt, Crysis, AES-NI, Ziggy, GandCrab, Shade, FonixLocker, and FilesLocker have given out decryption keys before shutting down their business.
But, what if this announcement is merely a break taken by the group before spinning up a new version? With that uncertainty, let’s recap the proliferating history of the Avaddon group.
A backdrop into Avaddon
Avaddon ransomware was first seen in February 2020 but emerged as a robust Ransomware-as-a-Service (RaaS) model by June 2020.
It appeared in a wink and a smile campaign in June 2020 and was being propagated via the Phorphiex/Trik botnet.
When launched, the group was recruiting hackers and malware distributors in high numbers to spread the ransomware by whatever means possible.
In a few months of its activity, the group became one of the critical threats across multiple sectors, including healthcare, manufacturing, and private sectors worldwide.
The FBI and Australian law enforcement (ACSC) had released advisories warning against the ransomware group, with the latter claiming that the group also threatened with DDoS attacks.
Earlier this year in February, a decryption tool was released by researchers following which the group changed its tactics.
However, the more bizarre behavior of this ransomware was the way it would attempt to delete backups. Besides the traditional removal of shadow copies of the user’s files, Avaddon also deletes backups and disables automatic repair and recovery functions before cleaning the bin.
Avaddon was another successful example of the current RaaS model that quickly adopted the more aggressive extortion techniques, as also seen with other modern ransomware families. All of these put Avaddon in a powerful position. However, currently, while the Tor sites pertaining to Avaddon are down, indicating the operation has likely ended, it wouldn’t be surprising if it resurfaces in a new avatar.