Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Avaddon Ransomware Operation Calls It Quits, Releases Keys2,934 Decryption Keys Released for Free; Emsisoft Rushes Out Full Decoder
Is the increased focus by Western governments on combating ransomware driving more operations to exit the fray?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
On Friday, the prolific Avaddon ransomware-as-a-service operation announced that it was shutting down, as Bleeping Computer first reported.
"The recent actions by law enforcement have made some threat actors nervous: this is the result."
"This morning, Bleeping Computer received an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file," the publication reported. "This file claimed to be the 'Decryption Keys Ransomware Avaddon.'" Both Fabian Wosar, CTO of Emsisoft, and ID Ransomware creator Michael Gillespie (@demonslay335), a researcher for ransomware incident response firm Coveware, told the publication that the 2,934 decryption keys are legitimate.
PSA: Avaddon appears to have shut down and released 2934 private keys of victims. A public Emsisoft decryption tool is coming soon. Do not pay. If you are a victim and want to know if your files can be decrypted, please reach out to firstname.lastname@example.org. Thanks.— Fabian Wosar (@fwosar) June 11, 2021
Shortly thereafter, working with Gillespie, Emsisoft released a free decryptor for Avaddon, which it notes uses AES-256 and RSA-2048 to encrypt victims' files.
Avaddon first appeared in March 2020, functioning as a ransomware-as-a-service operation, meaning its operators created a portal for affiliates where they could generate copies of the crypto-locking malware. Affiliates used this malware to infect systems, and every time a victim paid a ransom, the operator and affiliate shared the profits.
Like many operations, Avaddon also ran its own, dedicated data leak site, where nonpaying victims could be named and shamed and extracts of data stolen from their infrastructure leaked to increase the pressure to pay a ransom.
Avaddon has been the focus of separate alerts from the FBI and the Australian Cyber Security Center warning that the operation was especially targeting manufacturers, airlines and healthcare organizations.
More Evidence of Avaddon's Exit
More evidence of Avaddon's departure: Malware analyst 3xp0rt reported Friday that on the Russian-language cybercrime forum XSS, the user X-DDoS, who's apparently a distributed denial-of-service provider, had filed a claim over Avaddon. While the exact claim isn't known, it's likely over services provided for which compensation had not yet been paid.
In the XSS forum, user X-DDoS filed a claim to the Avaddon ransomware group. The context of the claim is private. Earlier, X-DDoS filed a claim to the DarkSide ransomware group and got compensation for services. As known, X-DDoS provided DDoS services.https://t.co/gKPwfzDlVH pic.twitter.com/i4nLUlrEaH— 3xp0rt (@3xp0rtblog) June 11, 2021
Many cybercrime forums offer automated escrow services, backed by dispute resolution, as a guarantee if a buyer or seller should fail to provide promised goods and services or payment (see: Why Darknet Markets Persist).
The claim by X-DDoS over Avaddon followed a previous, successful claim from X-DDoS to XSS made concerning nonpayment of services by DarkSide, 3xp0rt reports.
Players Exiting the Scene
Why Avaddon has supposedly exited the scene remains unclear. Ransomware-as-a-service operations and gangs come and go all the time.
But lately, the pressure on gangs and occasional disruption of their payment streams may have been driving more criminals to curtail their activities.
"The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too," Brett Callow, a threat analyst at Emsisoft, tells Bleeping Computer.
In April, for example, the Babuk operation announced it would stop attacks - although still offer its malware for sale to others - following fallout over its high-profile hit on the Metropolitan Police Department of Washington, D.C.
After a DarkSide affiliate hit U.S. fuel supplier Colonial Pipeline, sparking a political firestorm over the CEO's decision to pay a 75 bitcoin ransom, the DarkSide operation on May 13 announced that it was suspending affiliate services. "The affiliate program is closed. Stay safe and good luck," DarkSide claimed.
Experts say that operation will likely lay low for a short time before rebranding. Impressively, the FBI - likely thanks to the help of a foreign law enforcement agency - managed to recover nearly 64 of Colonial Pipeline's bitcoins.
In the wake of that attack on U.S. critical infrastructure, as well as the hit against meatpacking giant JBS, the White House began moving diplomatically to take Moscow to task for allowing ransomware operators to work inside its borders; ordered the Department of Justice to consolidate and centralize its approach to ransomware investigations, putting it on par with how DOJ investigates terrorism; and urged businesses to take ransomware more seriously.
Long-Standing Guidance: Please Don't Pay
Law enforcement and security experts always urge victims to not pay ransoms, since doing so helps perpetuate the illicit business model and directly funds gangs' ongoing research and development efforts.
In some cases, victims can avail themselves of free decryptors, such as those from the public-private No More Ransom project or security firms.
Victims who can wipe and restore systems from backups, without using a decryptor, in some cases will later get a decryption tool for free.
Ransomware operations have previously released the master keys for such crypto-locking malware as Petya (not NotPetya) and GoldenEye; Ziggy; and TeslaCrypt, with its operators even throwing in a free "we are sorry!" message to victims. In all of these cases, security firms were able to use the keys to build free decryptors for victims.
In other cases, law enforcement disruptions, takedowns and arrests have helped authorities get their hands on decryption keys, allowing free decryptors to get developed and released - as happened, for example, with Shade.
Occasionally, researchers find flaws in criminals' encryption schemes, allowing them to create free decryptors or find other workarounds to help victims restore systems. In fact, Avaddon faced just this problem in February, after a researcher found that for PCs infected by the ransomware that hadn't yet been powered off, attackers' original encryption key could be recovered from RAM, as ZDNet reported. Avaddon quickly fixed the problem.
Workarounds Found? Always Ask
But here's a reminder: Security experts say ransomware victims would always do well to contact reputable firms that help victims, for a free chat - or second opinion - to learn if there are any known workarounds that might help the organization more rapidly restore its systems.
Emsisoft's Wosar says he's witnessed multiple cases in which "ransoms were paid, even though it wasn't necessary." Colonial Pipeline, for example, said that the $4.4 million ransom it paid didn't end up helping with recovery.
"I dedicated the past 10 years of my life essentially to ruining the entire ransomware business models for threat actors," Wosar tells me. "And then companies paying, even if it's just like $100,000; it just pains me so."