Ragnarok ransomware gang shuts down and releases decryption key
Ragnarok victims can now decrypt their files using the group’s master key
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The cybercriminals behind theRagnarok ransomwarehave decided to close up shop and have now released the master key capable of decrypting files locked with theirmalware.
AsreportedbyBleepingComputer, the Ragnarok ransomware gang didn’t even leave a note explaining the move. Instead, they replaced all of the victims on theirleak sitewith a short set of instructions that informed them how they could decrypt their files using the now publicly available master key.
At the same time, the group’s leak site, which was used toshame victimsinto paying to decrypt their files, has been stripped of all visual elements. The site now only has several text boxes with instructions as well as an archive containing the master key and the binaries that go along with it.
Normally when ransomware groups shut down, they often leave a note explaining their actions or reach out to a news outlet as was the case with theGandCrab ransomwaregroup in 2019 and theMaze ransomwaregroup last year. While GandCrab explained why it was shutting down in a post on a popularhacking forum, the operators behind the Maze ransomware personally reached out toBleepingComputerto explain their decision.
Victims off the hook
Up until recently, the Ragnarok ransomware leak site provided details on 12 victims whose companies are located in France, Estonia, Sri Lanka, Turkey, Thailand, the US, Malaysia, Hong Kong, Spain and Italy and operate across a variety of industries from manufacturing to legal services.
BleepingComputeralso spoke to ransomware expertMichael Gillespiewho confirmed that he was able to decrypt files locked using the Ragnarok ransomware with the master key. However, a universal decryptor for the Ragnarok ransomware is currently in development byEmsisoftwhich is also working on adecryption utilityfor the SynAck ransomware whose operators closed up shop earlier this month.
The Ragnarok ransomware group has been active in the wild since at least January of last year. The group gained notoriety for exploiting theCitrix ADC vulnerabilityto encrypt the systems of dozens of victims.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
We’ll have to wait and see if the cybercriminals behind Ragnarok are developing a newransomware strainor if they’ve officially called it quits for good.
ViaBleepingComptuer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind
