Ragnarok ransomware operation shuts down and releases free decrypter
The Ragnarok (or Asnarök) ransomware gang shut down their operation today and released a free decryption utility to help victims recover their files.
The free decrypter, hardcoded with a master decryption key, was released today on the gang’s dark web portal, where the group previously used to publish files from victims who refused to pay.
The decrypter, which has been confirmed to work by multiple security researchers, is currently being analyzed before security firms will rewrite a clean and safe-to-use version that will be made publicly available through Europol’s NoMoreRansom portal.
Prior to shutting down earlier today, the Ragnarok gang had been active since late 2019 and early 2020.
The gang operated by using exploits to breach a target company’s network and perimeter devices, from where it would pivot to internal networks and encrypt crucial servers and workstations.
To improve its chances of getting paid, the Ragnarok gang also stole files from victim networks, which it threatened to leak on its dark web portal unless the ransom was paid on time.
The group historically targeted Citrix ADC gateways and was also behind the campaign that exploited a zero-day in the Sophos XG firewalls. While the zero-day exploit worked and allowed the gang to backdoor XG firewalls across the world, Sophos spotted the attack in time to prevent the group from deploying its file-encrypting payload.
A month before shutting down today, the Ragnarok team changed the design of its site, removed most past victims, and later even rebranded as “Daytona by Ragnarok.”
Security firm Emsisoft has released today a free decrypter for Ragnarok victims.