Written by Tim Starks

A ransomware gang has apparently disappeared just as its fortunes were rising.

Ransomware experts said Avaddon shut down as of Friday. The operators left no explanation for why they might have done so, and they’re letting their remaining victims off the hook. Avaddon sent Bleeping Computer 2,934 decryption keys, after which the security firm Emsisoft produced a free, public decryption tool.

After last month’s ransomware attack on Colonial Pipeline caused disruptions in the U.S. on fuel delivery, Avaddon became one of the most prolific posters of victim data to its extortion site, compared to other such groups.

“This is great news,” tweeted Allan Liska, a Recorded Future analyst specializing in ransomware. “Avaddon was considered a second tier ransomware operator, but since the Colonial Pipeline attack they have been tied with Conti in terms of number of victims posted to their extortion site.”

But with success has come attention. The FBI and Australian Cyber Security Centre issued warnings last month about Avaddon, which claimed French insurer AXA among its most prominent recent victims.

Avaddon’s disappearance comes not only amid its own burst of success, but as ransomware has become one of the top priorities of law enforcement and policymakers following the attacks on Colonial Pipeline and meat supplier JBS.

“Their recent success could have made them nervous,” Liska wrote to CyberScoop about Avaddon. “Could be the feds took down some of their infrastructure and they shut down before anything else was exposed. They might have made a ton of money and now seemed like a good time to get out.”

Emsisoft’s Brett Callow suggested law enforcement targeting probably played a role. Most recently, the Justice Department said it seized millions of dollars back from the DarkSide operators who hit Colonial. “Enforcement action has a deterrence effect,” Callow said.

It’s also not unprecedented for ransomware gangs facing significant pressure to go underground for a while then rebrand.