Ragnarok ransomware gang shuts down and releases decryption key

cybercriminal
(Image credit: Pixabay)

The cybercriminals behind the Ragnarok ransomware have decided to close up shop and have now released the master key capable of decrypting files locked with their malware.

As reported by BleepingComputer, the Ragnarok ransomware gang didn't even leave a note explaining the move. Instead, they replaced all of the victims on their leak site with a short set of instructions that informed them how they could decrypt their files using the now publicly available master key.

At the same time, the group's leak site, which was used to shame victims into paying to decrypt their files, has been stripped of all visual elements. The site now only has several text boxes with instructions as well as an archive containing the master key and the binaries that go along with it.

Normally when ransomware groups shut down, they often leave a note explaining their actions or reach out to a news outlet as was the case with the GandCrab ransomware group in 2019 and the Maze ransomware group last year. While GandCrab explained why it was shutting down in a post on a popular hacking forum, the operators behind the Maze ransomware personally reached out to BleepingComputer to explain their decision.

Victims off the hook

Up until recently, the Ragnarok ransomware leak site provided details on 12 victims whose companies are located in France, Estonia, Sri Lanka, Turkey, Thailand, the US, Malaysia, Hong Kong, Spain and Italy and operate across a variety of industries from manufacturing to legal services.

BleepingComputer also spoke to ransomware expert Michael Gillespie who confirmed that he was able to decrypt files locked using the Ragnarok ransomware with the master key. However, a universal decryptor for the Ragnarok ransomware is currently in development by Emsisoft which is also working on a decryption utility for the SynAck ransomware whose operators closed up shop earlier this month.

The Ragnarok ransomware group has been active in the wild since at least January of last year. The group gained notoriety for exploiting the Citrix ADC vulnerability to encrypt the systems of dozens of victims.

We'll have to wait and see if the cybercriminals behind Ragnarok are developing a new ransomware strain or if they've officially called it quits for good.

Via BleepingComptuer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.