Ransomware operators sent the keys to the BepiComputer portal office this morning and closed their site on the dark web
The communications and leaks site of the Avaddon ransomware group on the dark web, one of the most active in recent months, woke up closed today: apparently the group that operated the site and the malware has gone out of business, probably due to the high risk of being discovered and arrested: there have been many cybercrime casualties recently, including the DarkSide ransomware and the Slilpp website, the largest marketplace for stolen credentials available on the internet. After closing the site, the operators sent their victims’ cryptographic keys to the Bleeping Computer portal’s newsroom. The material was sent as if it were an anonymous reporting tip with an address where there was a zipped file with the keys.
Material received by the Bleeping Computer portal
According to the editorial staff of Bleeping Computer, experts Fabian Wosar, from Emsisoft, and Michael Gillespie, from Coveware, received copies of the material and confirmed that the keys are true and could be used by victims of the ransomware. The newsroom managed to encrypt a machine with a recent version of Avaddon and then managed to decrypt it with one of the keys.
In total, Avaddon operators sent 2,934 keys to the newsroom, with each key corresponding to a specific victim. Each key was created for a single operation.
Emsisoft is working on a free decryptor with these keys, which should be available within the next 24 hours, if not sooner.
While this doesn’t happen often enough, ransomware groups have already released decryption keys to BleepingComputer and other researchers as a gesture of goodwill when they close or release a new version.