Ragnarok Ransomware Gang Bites the Dust, Releases Decryptor

The cybercriminal group, active since late 2019, has closed its doors and released the key to unlocking victims’ files on its dark web portal.

Another cybercriminal gang notorious for ransomware attacks has shut down, publishing its decryptor online to allow victims unlock and recover files.

The Ragnarok gang, also known as Asnarok, closed up shop this week, publishing the news to their public website, according to a post published Thursday by analyst firm Recorded Future’s The Record, among other sources.

As a parting “gift,” the group released their decryptor, hardcoded with a master decryption key, for free as well on the portal. Previously, the site was primarily the place where Ragnarok would publish data from victims who refused to pay ransom.
Infosec Insiders Newsletter
“Ragnarok now becomes the third ransomware group that shuts down and releases a way for victims to recover files for free this summer, after the likes of Avaddon in June and SynAck earlier this month,” according to The Record.

Several security researchers have confirmed that the Ragnarok decryptor works, according to the post. It’s currently being analyzed and researchers will eventually release a clean version that is safe to use on Europol’s NoMoreRansom portal.

Data Thieves

Ragnarok, active since late 2019, was seen in April in an attack on luxury Italian men’s clothing line Boggi Milano. The gang xfiltrated 40 gigabytes of data from the fashion house, including human resources and salary details.

Ragnarok’s typical modus operandi was to use exploits to breach a target company’s network and perimeter devices. From there it would work from the internal network to encrypt an organization’s servers and workstations.

Ragnarok also was of one of a number of ransomware groups that would not just encrypt but also steal files so it could threaten to leak them on its portal to pressure victims to pay demanded ransoms, and then make good on the threat if the threat actors didn’t receive their money by an appointed deadline.

Targeting Citrix ADC gateways was a specialty of the group, which also was behind the campaign that exploited a zero-day in the Sophos XG firewalls, according to the post.

“While the zero-day exploit worked and allowed the gang to backdoor XG firewalls across the world, Sophos spotted the attack in time to prevent the group from deploying its file-encrypting payload,” according to the Record.

Ransomware Gangs Dropping Like Flies

The gang is the latest ransomware group to shutter operations, due in part to mounting pressures and crackdowns from international authorities that already have led some key players to cease their activity. In addition to Avaddon and SyNack, two heavy hitters in the game — REvil and DarkSide – also closed up shop recently.

Other ransomware groups are feeling the pressure in other ways. An apparently vengeful affiliate of the Conti Gang recently leaked the playbook of the ransomware group after alleging that the notorious cybercriminal organization underpaid him for doing its dirty work.

However, even as some ransomware groups are hanging it up, new threat groups that may or may not have spawned from the previous ranks of these organizations are sliding in to fill the gaps they left.

Haron and BlackMatter are among those that have emerged recently with intent to use ransomware to target large organizations that can pay million-dollar ransoms to fill their pockets.

Indeed, some think Ragnarok’s exit from the field also isn’t permanent, and that the group will resurface in a new incarnation at some point.

“Even though I am sure is only temporary, it is nice to see another win,” tweeted Allan Liska, from Recorded Future’s Computer Security Incident Response Team, of the group’s shutdown.

Suggested articles