Some big time ransomware operators have recently declared they will retire from their malicious ways and stop launching ransomware attacks against the world.
This sounds hopeful, but will these threat actors be gone for good? Or are they just trying to fade into the background until the current fervor around ransomware attacks subside?
Avaddon ransomware gang announces shutdown
The most recent example of these ransomware operators taking a step back is courtesy of the Avaddon ransomware gang.
The group launched as a ransomware-as-a-service (RaaS) operation in March 2020, but now says it will be shutting down operations and has released the decryption keys for its victims.
Bleeping Computer received the keys as an anonymous tip from someone pretending to be the FBI that included a password and a link to a password-protected ZIP file, named "Decryption Keys Ransomware Avaddon."
Fabian Wosar, CTO of Emsisoft, and Michael Gillespie, a researcher for Coveware, were both able to confirm the 2,934 decryption keys in the file were legitimate.
Here is how Bleeping Computer describes the current state of Avaddon:
"At this time, all of Avaddon's Tor sites are inaccessible, indicating that the ransomware operation has likely shut down.
Furthermore, ransomware negotiation firms and incident responders saw a mad rush by Avaddon over the past few days to finalize ransom payments from existing unpaid victims.
Coveware CEO Bill Siegel has told Bleeping Computer that Avaddon's average ransom demand was around $600k.
However, over the past few days, Avaddon has been pressuring victims to pay and accepting the last counteroffer without any push back, which Siegel states is abnormal."
Emisoft threat analyst Brett Callow shares his thoughts on what could have pressured Avaddon to close:
"The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let's hope some others go down too."
For now, it appears that Avaddon has called it quits.
Babuk ransomware announces shutdown
While Avaddon is the most recent cybercrime gang to announce it will be shutting down, it is not the first.
Earlier this year, the Babuk ransomware syndicate announced it would be closing its doors, but only halfway.
The group said that it would no longer launch any attacks, but it would make source code publicly available, as well as continue operations on a RaaS model.
Babuk took credit for a ransomware attack that targeted the Washington D.C. Metropolitan Police Department, which resulted in compromised information of police informants and some employees.
The group is also credited for attacking the NBA's Houston Rockets earlier this year.
It is likely that the attack on the D.C. police is what caused Babuk to limit its operations, as the incident garnered national attention. The group likely made the decision to take their profits and head for the hills.
DarkSide ransomware operators apologize and shut down
The Russian affiliated ransomware gang, DarkSide, also made a recent decision to stop operating.
The FBI says the criminal hackers were responsible for the Colonial Pipeline ransomware incident that caused fuel shortages along the east coast of the U.S.
The incident has since sparked a national conversation about cybersecurity in critical infrastructure and what must be done to ensure something like Colonial doesn't happen again.
DarkSide even issued an apology for all of the commotion it caused:
"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
Our goal is to make money and not creating problems for society.
From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
Although they shared this apology, it appears the group will be hitting the brakes on its operations.
In a Russian cybercrime forum, the group shared what might have been its final message:
"Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.
The hosting support service doesn't provide any information except 'at the request of law enforcement authorities.' In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.
The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven't paid yet.
After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.
The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).
In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.
The landing page, servers, and other resources will be taken down within 48 hours."
The question now is, how long will these operations stay down? And if they do stay down, will the threat actors simply emerge later under a different name?
We'll have to wait for the answers to these questions.