Ragnarok Ransomware Gang Shuts Down and Releases its Decryption Key

Ragnarok, a ransomware group that gained prominence after launching assaults against unpatched Citrix ADC servers, has been shut down and its victims have been given a free decryption key.

Last week, the gang, also known as Asnarok, replaced all 12 victims listed on its dark web domain with a brief instruction on how to decrypt files. This was followed by the public release of a decryptor, which Emsisoft experts confirmed had the master decryption key. The security business, which is known for helping ransomware victims decode their files, has now created a universal decryptor for the Ragnarok ransomware.

Ragnarok is well known for targeting IT networks with the Ragnar Locker malware. It has racked up more than $4.5 million in ransom payments, according to the Ransomware. repayments tracker, after exploiting a Citrix ADC flaw to search for Windows systems vulnerable to the EternalBlue vulnerability – the same vulnerability behind the now-notorious WannaCry attack.

Cybercriminals seized 10 terabytes of data belonging to Portuguese energy major EDP in April 2020 and threatened to disclose it unless a $10.9 million ransom was paid.

The gang then sought $15 million in ransom for up to 2TB of data stolen from the servers of Italian booze giant Campari Group, including bank transactions, staff records, and celebrity agreements.

In November, the crew behind Street Fighter, Resident Evil, and Devil May Cry also targeted Capcom, the Japanese video game behemoth behind titles like Street Fighter, Resident Evil, and Devil May Cry. The group allegedly took 390,000 customers, business partners, and other third-party data from Capcom’s systems.

Bleeping Computer was the first to report on the shutdown.

It’s unclear why Ragnarok has allegedly decided to call it quits without leaving an official goodbye note. However, in the face of mounting pressure from the US government, which earlier this year designated ransomware as a national security threat, other ransomware gangs have adopted a similar self-destruction strategy; Ravil, the gang behind the JBS attack, mysteriously vanished from the internet, and DarkSide, the gang behind the Colonial Pipeline incident, also announced its retirement.

Other ransomware groups, such as Ziggy Avaddon, SynAck, and Fonix, have also stopped hacking this year, handing over their keys to assist victims in recovering from their attacks.

Of course, it’s unclear whether Ragnarok’s demise is permanent or only a rebranding; the notorious DoppelPayment ransomware gang recently returned as Grief Ransomware after months of inactivity.