Ragnarok Ransomware Shuts Down, Decryption Key Released

Ragnarok Ransomware Group Ceases Operations, Releases Decryption Key

The Ragnarok ransomware group, active since 2019 and known for exploiting vulnerabilities in Citrix ADC servers, has reportedly ceased operations. A decryption key has been made freely available to those affected by their attacks.

Decryption Key and Portal Shutdown

Last week, the group – also sometimes identified as Asnarok – replaced all victim listings on its dark web portal with instructions detailing file decryption. Security experts at Emsisoft have verified that the released decryptor contains the master decryption key.

Emsisoft, a firm specializing in assisting ransomware victims, has also developed and released a universal decryptor specifically for Ragnarok ransomware.

Targeting and Financial Gains

Ragnarok primarily utilized the Ragnar Locker ransomware in its attacks, focusing on IT networks. The group exploited a vulnerability within Citrix ADC to identify Windows systems susceptible to the EternalBlue vulnerability – the same flaw leveraged in the WannaCry attack.

According to the Ransomwhe.re payments tracker, Ragnarok accumulated over $4.5 million in ransom payments.

High-Profile Victims

In April 2020, the cybercriminals compromised Portuguese energy company EDP, stealing 10 terabytes of data and demanding a $10.9 million ransom. A subsequent data exfiltration involved up to 2TB of information.

The group also targeted Campari Group, an Italian liquor manufacturer, exfiltrating bank statements, employee records, and agreements with celebrities, and requesting a $15 million ransom.

Attack on Capcom

In November, Ragnarok targeted Capcom, the Japanese video game developer responsible for franchises like Street Fighter, Resident Evil, and Devil May Cry. The gang reportedly stole personal data from approximately 390,000 customers, partners, and other associated parties.

Reasons for Shutdown Remain Unclear

The initial report regarding the shutdown originated with Bleeping Computer. The motivation behind Ragnarok’s decision to disband remains unknown, as no official statement was released.

Trend of Ransomware Group Disappearances

This self-destructive behavior mirrors actions taken by other ransomware groups facing increased scrutiny from the U.S. government, which has designated ransomware as a national security threat. REvil, responsible for the attack on JBS, vanished from the internet, and DarkSide, linked to the Colonial Pipeline incident, announced its retirement.

Other groups, including Ziggy Avaddon, SynAck, and Fonix, have also ceased operations this year, providing decryption keys to aid victims.

Potential for Rebranding

However, the possibility of Ragnarok simply rebranding cannot be ruled out. The DoppelPayment ransomware group, for example, recently resurfaced as Grief Ransomware after a period of inactivity.

Industry Reaction

Allan Liska, from Recorded Future’s Computer Security Incident Response Team, expressed cautious optimism on Twitter, stating, “Even though I am sure is only temporary, it is nice to see another win.”