Jump to content
  • Avaddon ransomware's exit sheds light on victim landscape


    Karlston

    • 627 views
    • 4 minutes
     Share


    • 627 views
    • 4 minutes

    Avaddon ransomware's exit sheds light on victim landscape

     

    A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation.

     

    On June 11th, the Avaddon ransomware gang decided to shut down their operation. As part of the shutdown, the ransomware gang anonymously shared their victims' decryption keys with BleepingComputer.

     

    Using these keys, Emsisoft created a decryptor that allows victims to recover their files for free.

     

    These decryption keys were released as two text files where each victim contained a numeric ID and two base64 encoded cryptographic keys that could decrypt a victim's files.

     

    For many of these keys, the ransomware gang also included an identifier of some sort that could be a Windows domain, the logged-in user's name, or some other identifier.

    Example base64 encoded keys with identifier redacted
    Example base64 encoded keys with identifier redacted

    While some of these IDs reveal significant cyberattacks against previously unknown corporate targets, BleepingComputer does not intend to report on these victims.

    Data sheds light on Avaddon's targets

    After analyzing the unique identifiers attached to the Avaddon decryption keys, cybersecurity firm Advanced Intel has released anonymous details about the victims targeted by the ransomware group.

     

    "Today we shed light on this lost and hidden criminal empire using unique datasets - the full list of Avaddon victims ever targeted by the group over the year of its existence," says Advanced Intel's report.

     

    Of the victims targeted by Avaddon, most organizations resided in the USA, followed by Canada, and then the rest of the world. As noted by the map, there were no known victims in Russia or other CIS countries, as is typical for ransomware gangs.

    Avaddon ransomware victims by country
    Avaddon ransomware victims by country

    The top three industries targeted by Avaddon were Retail (12.5%), Manufacturing (12.2%), and (6.3%), and Finance (7.5%). However, Avaddon targetted a wide range of companies, and while the threat actors targeted some industries more than others, these were likely still opportunistic attacks.

    Avaddon victims by industry
    Avaddon victims by industry

    Finally, using the list of known victims, Advanced Intel grouped them by their yearly revenue, showing that over 50% earned income below $10 million.

    Avaddon victims by revenue
    Avaddon victims by revenue

     On average, Avaddon's victims' revenue are:

     

    • $13 Million USD for small businesses

    • $287 Million USD for medium-sized victims

    • $3.7 Billion USD for larger businesses

     

    An Advanced Intel source states that Avaddon uses a "5x5" rule when determining ransom demands.

     

    "The most common calculation which according to our sensitive and credible source intelligence as used by Avaddon was a so-called “5x5” rule when 5% of the annual revenue is used to start the negotiations, with annual revenue estimated as one-fifth of the total revenue," explained the report.

     

    "In other words, for a victim which has a total revenue of $7 Million USD, the starting ransom price will be $70,000 USD. Typically, Avaddon dropped the price during the bargaining, and the end ransom was around $50,000 USD for a successful operation."

     

    Using this information and internal intelligence based on known victims, Advanced Intel believes that Avaddon's total earnings are of approximately $87 million.

     

    "Feedback from the top-tier underground community members who reportedly worked with Avaddon, as well as other collections from the DarkWeb though which we were able to build an approximate patter for each 3d victim paying the ransom," Advanced Intel's Yelisey Boguslavskiy told BleepingComputer.

     

    "This pattern correlated with our experience of engaging in mitigation of ransomware incidents."

     

    It is not clear why Avaddon shut down its operation, but it is believed to be due to the increased pressure exerted by the US government and law enforcement.

     

    While ransomware has been a problem since 2012, it has not been until the past two years that law enforcement has successfully disrupted these operations.

     

    This disruption has been successful as it targets the affiliates, infrastructure, and payments rather than the ransomware operation's core developers.

     

     

    Avaddon ransomware's exit sheds light on victim landscape


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...