Ragnarok ransomware group has decided to abandon its operations and has reportedly published the master key that can decrypt files locked with their malware. The ransomware gang did not leave a note explaining their sudden exit and instead replaced all the victims on their leak site with a short instruction on how to decrypt files.
Sudden exit
The Ragnarok gang, also known as Asnarok, used the leaked site to release data of the victims who refused to pay the ransom. The leak site has been stripped of all aesthetic factors and only contains a brief text linking to an archive consisting of the master key and the associated binaries that go with it in order to use it.
Looking at the leak site, it seems like the ransomware group did not consider shutting down and just wiped everything and shut down their operation.
According to threat intelligence provider HackNotice, the leak site added 12 victims between July 07 and August 16. By listing victims on their website, Ragnarok tried to force them into paying the ransom, under the danger of leaking unencrypted data stolen during the breach. The organizations listed on this page are from various countries such as the U.S., Turkey, France, Spain, Estonia, and Italy operating in various sectors ranging from manufacturing to legal services.
Multiple security experts have confirmed that the Ragnarok decryptor is currently working. It is currently being examined and researchers will eventually publish a clean version that is safe to use on Europol’s NoMoreRansom portal.
Prior to shutting down last week, the Ragnarok ransomware gang had been active since late 2019 and early 2020. The gang targeted dozens of victims by using exploits to breach a target company’s network and perimeter devices, from where it would pivot to internal networks and encrypt crucial servers and workstations. The gang made headlines after exploiting the Citrix ADC vulnerability last year.
Ragnarok is certainly not the first ransomware group to release a decryption key this year. Earlier in February, Ziggy ransomware abandoned its operations and in May, Conti ransomware provided a free-of-cost decryption key to HSE Ireland.
However, even as some ransomware gangs are shutting down their operations, new threat groups that may or may not have spawned from the previous ranks of these organizations are sliding in to fill in the gaps they left. Haron and BlackMatter are the latest inclusion in the ransomware family and are aiming to target large organizations that can pay million-dollar ransoms to fill their pockets.