Avaddon Ransomware Gang Evaporates Amid Global Crackdowns  

Ransomware group releases decryptors for nearly 3,000 victims, forfeiting millions in payouts.    

Ransomware group Avaddon has decided to shutter its criminal enterprise after landing in the crosshairs of law-enforcement agencies in the U.S. and Australia.

Avaddon, a prolific ransomware-as-a-service (RaaS) provider, released its decryption keys to BleepingComputer — 2,934 in total — with each key belonging to an individual victim. Law enforcement said the average ransom demanded by the group was about $40,000, meaning they quit and just walked away from millions.

Last month, the Australian Cyber Security Centre in cooperation with the U.S. Federal Bureau of Investigation released an alert about Avaddon. The group spent the days following the alert collecting as many payments as possible before releasing the keys, BleepingComputer reported.

The alert outlined Avaddon’s brutal tactics, including double extortion and even a twist on triple extortion with threats of denial of service (DDoS) attacks against their victims until the ransom was paid.  The agency added Avaddon initiated its ransomware reign of terror with a sprawling spam campaign in February 2019, and over the years evolved into a sophisticated RaaS operation.

Avaddon launched one of these punitive DDoS attacks against Australian-based telecom provider Schepisi Communication when it refused to pay up, according to Malwarebytes Labs. It added that the group was also behind attacks on two U.S. healthcare providers: A medical center and a healthcare center for seniors.

Avaddon was believed to be operating within the Commonwealth of Independent States (former Soviet-bloc countries), meaning the group’s shutdown just happens to coincide with President Biden’s summit with Russian President Vladimir Putin, where officials said ransomware and cybersecurity will be discussed.

Law-Enforcement Crackdowns on Ransomware Gangs

Other ransomware-related groups have been kneecapped by law enforcement including Emotet, which often acted as the initial-access malware for later ransomware payloads. This has inspired others, like Fonix, to get out of the game before law enforcement came knocking. One ransomware group, named Ziggy, went as far as to apologize, issue refunds and ask for help landing a legit job in cybersecurity.

And famously, DarkSide lost control of its servers, money and everything else after crippling the Colonial Pipeline in the U.S. with a ransomware attack, inspiring fellow criminal gang REvil to tweak its terms and add restrictions on the kinds of businesses its RaaS affiliates can attack.

Maybe if they do crimes with a conscience the cops won’t mind?

“This [Avaddon’s shut down] is a good sign that the combined pressure and approach adopted by the U.S. administration is bearing fruit,” Purandar Das from Sotero told Threatpost. “But it is probably too early to declare victory.”

Das added that what’s significant is the number of decryptors Avaddon distributed following the shutdown.

“This group alone had over 2,000 victims,” Das pointed out. “That is an indication of the scale and magnitude of these attacks. Many of these attacks are not seeing the light of day in terms of publicly being known.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!



Suggested articles