Avaddon ransomware group appears to be closing shop and has sent all its decryption keys to BleepingComputer.

Avaddon had previously announced they were shutting down operations, and it’s not uncommon for a group to release decryption keys when that happens, as there’s no longer any financial incentive to keep victims locked out of their files.

BleepingComputer made the announcement via Twitter.

Today, BleepingComputer was anonymously sent the decryption keys for Avaddon ransomware, likely by the threat actors themselves.

— BleepingComputer (@BleepinComputer) June 11, 2021

All told, there 2,934 decryption keys, each one associated with a victim. Given that experts previously only had proof of 88 Avaddon victims, the number of keys suggest the group was far more successful than anyone realized. It also highlights how few companies actually disclose an attack.

Fabian Wosar, an expert that helped BleepingComputer verify the decryption keys, told ZDNet that negotiations with Avaddon had recently taken on a new intensity, likely indicating the shutdown was planned and negotiators were trying to get whatever they could before the shutdown date.

The shutdown likely resulted from the group making all the money they wanted.

“This isn’t new and isn’t without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations,” Wosar told ZDNet.

“Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated.”