After a free decryptor for Avaddon ransomware was published by a Ph.D. student at Rey Juan Carlos University, the malware developers have announced they have found the flaw in the process and are patching it. The previous decryption process relied on dumping the process memory and extracting the unique AES256 key used to encrypt the files with this decryption process now published. The malware authors better understand how to secure the encryption process after reading the technical research that the researcher published. The malware authors assured their affiliates that since they fixed the flaw, no other victims should be able to decrypt their files for free, and as way to compensate those who failed to receive ransom payments from victims, the Avaddon developers would be temporarily increasing the revenue share to 80% for affiliates who have “suffered” losses due to the free decryptor’s availability.
It’s no surprise that the Avaddon developers have responded quickly to fix the vulnerability in the encryption process as their revenue stream and reputation are dependent on the security and speed of the encryption process. This response also shows that malware authors are paying attention to when news of their malware is making way into conversations and know how to respond when their criminal revenue stream is at risk. If anyone finds vulnerabilities that allow for the decryption of data locked by ransomware, it is always recommended to work with coalitions like nomoreransom or other trusted groups to make the spread of the decryptor more effective without tipping off the ransomware authors. Protecting the public at large requires a level of teamwork that independent publishing cannot accomplish.
The No More Ransom Project
Avaddon ransomware fixes flaw allowing free decryption (bleepingcomputer.com)
JavierYuste/AvaddonDecryptor: A decryptor for systems infected by Avaddon ransomware. (github.com)