Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Avaddon Ransomware Operation Calls It Quits, Releases Keys

2,934 Decryption Keys Released for Free; Emsisoft Rushes Out Full Decoder
Avaddon Ransomware Operation Calls It Quits, Releases Keys
Seen this Avaddon ransom note? Don't pay.

Is the increased focus by Western governments on combating ransomware driving more operations to exit the fray?

See Also: 5 Requirements for Modern DLP

On Friday, the prolific Avaddon ransomware-as-a-service operation announced that it was shutting down, as Bleeping Computer first reported.

"This morning, Bleeping Computer received an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file," the publication reported. "This file claimed to be the 'Decryption Keys Ransomware Avaddon.'" Both Fabian Wosar, CTO of Emsisoft, and ID Ransomware creator Michael Gillespie (@demonslay335), a researcher for ransomware incident response firm Coveware, told the publication that the 2,934 decryption keys are legitimate.

Shortly thereafter, working with Gillespie, Emsisoft released a free decryptor for Avaddon, which it notes uses AES-256 and RSA-2048 to encrypt victims' files.

Ransomware-as-a-Service Operation

Avaddon first appeared in March 2020, functioning as a ransomware-as-a-service operation, meaning its operators created a portal for affiliates where they could generate copies of the crypto-locking malware. Affiliates used this malware to infect systems, and every time a victim paid a ransom, the operator and affiliate shared the profits.

Like many operations, Avaddon also ran its own, dedicated data leak site, where nonpaying victims could be named and shamed and extracts of data stolen from their infrastructure leaked to increase the pressure to pay a ransom.

Avaddon has been the focus of separate alerts from the FBI and the Australian Cyber Security Center warning that the operation was especially targeting manufacturers, airlines and healthcare organizations.

In Europe, during the fourth quarter of 2020, 16 main RaaS operations were active, of which Egregor and Netwalker accounted for half of all infections seen. Avaddon infections were the tenth most prevalent. (Source: CERT-EU)

More Evidence of Avaddon's Exit

More evidence of Avaddon's departure: Malware analyst 3xp0rt reported Friday that on the Russian-language cybercrime forum XSS, the user X-DDoS, who's apparently a distributed denial-of-service provider, had filed a claim over Avaddon. While the exact claim isn't known, it's likely over services provided for which compensation had not yet been paid.

Many cybercrime forums offer automated escrow services, backed by dispute resolution, as a guarantee if a buyer or seller should fail to provide promised goods and services or payment (see: Why Darknet Markets Persist).

The claim by X-DDoS over Avaddon followed a previous, successful claim from X-DDoS to XSS made concerning nonpayment of services by DarkSide, 3xp0rt reports.

Players Exiting the Scene

Why Avaddon has supposedly exited the scene remains unclear. Ransomware-as-a-service operations and gangs come and go all the time.

But lately, the pressure on gangs and occasional disruption of their payment streams may have been driving more criminals to curtail their activities.

"The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too," Brett Callow, a threat analyst at Emsisoft, tells Bleeping Computer.

In April, for example, the Babuk operation announced it would stop attacks - although still offer its malware for sale to others - following fallout over its high-profile hit on the Metropolitan Police Department of Washington, D.C.

After a DarkSide affiliate hit U.S. fuel supplier Colonial Pipeline, sparking a political firestorm over the CEO's decision to pay a 75 bitcoin ransom, the DarkSide operation on May 13 announced that it was suspending affiliate services. "The affiliate program is closed. Stay safe and good luck," DarkSide claimed.

Experts say that operation will likely lay low for a short time before rebranding. Impressively, the FBI - likely thanks to the help of a foreign law enforcement agency - managed to recover nearly 64 of Colonial Pipeline's bitcoins.

In the wake of that attack on U.S. critical infrastructure, as well as the hit against meatpacking giant JBS, the White House began moving diplomatically to take Moscow to task for allowing ransomware operators to work inside its borders; ordered the Department of Justice to consolidate and centralize its approach to ransomware investigations, putting it on par with how DOJ investigates terrorism; and urged businesses to take ransomware more seriously.

Long-Standing Guidance: Please Don't Pay

Law enforcement and security experts always urge victims to not pay ransoms, since doing so helps perpetuate the illicit business model and directly funds gangs' ongoing research and development efforts.

In some cases, victims can avail themselves of free decryptors, such as those from the public-private No More Ransom project or security firms.

Victims who can wipe and restore systems from backups, without using a decryptor, in some cases will later get a decryption tool for free.

Ransomware operations have previously released the master keys for such crypto-locking malware as Petya (not NotPetya) and GoldenEye; Ziggy; and TeslaCrypt, with its operators even throwing in a free "we are sorry!" message to victims. In all of these cases, security firms were able to use the keys to build free decryptors for victims.

In other cases, law enforcement disruptions, takedowns and arrests have helped authorities get their hands on decryption keys, allowing free decryptors to get developed and released - as happened, for example, with Shade.

Occasionally, researchers find flaws in criminals' encryption schemes, allowing them to create free decryptors or find other workarounds to help victims restore systems. In fact, Avaddon faced just this problem in February, after a researcher found that for PCs infected by the ransomware that hadn't yet been powered off, attackers' original encryption key could be recovered from RAM, as ZDNet reported. Avaddon quickly fixed the problem.

Workarounds Found? Always Ask

But here's a reminder: Security experts say ransomware victims would always do well to contact reputable firms that help victims, for a free chat - or second opinion - to learn if there are any known workarounds that might help the organization more rapidly restore its systems.

Emsisoft's Wosar says he's witnessed multiple cases in which "ransoms were paid, even though it wasn't necessary." Colonial Pipeline, for example, said that the $4.4 million ransom it paid didn't end up helping with recovery.

"I dedicated the past 10 years of my life essentially to ruining the entire ransomware business models for threat actors," Wosar tells me. "And then companies paying, even if it's just like $100,000; it just pains me so."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.