The notorious Ragnarok ransomware has seemingly shut down its operations. Although the gang didn’t appear inactive, it suddenly released decryption keys for the Ragnarok ransomware, hinting at a departure.
Ragnarok Ransomware Released Decryption Keys
Reportedly, the Ragnarok ransomware gang has joined the trail of those few ransomware operations that shut down this year.
Although, the threat actors made no formal announcement for a departure, unlike most other ransomware gangs. However, the sudden release of decryption keys on its website indicates Ragnarok ransomware may have ended.
According to Bleeping Computer, the dark web site of the ransomware shows major visual disruptions. The site also previously listed the ransomware victims that include 12 different firms from various sectors. These predominantly belong to the United States, France, Italy, Estonia, Spain, Turkey, Sri Lanka, Thailand, Malaysia, and Hong Kong.
However, all the site now shows are the master decryption key, accompanying binaries, and the instructions to use. It may be an attempt from the developers to remove the key tracing elements from it.
Security researcher Michail Gillespie has tested the decryption key and could decrypt a random encrypted file with it. This confirms the released key is indeed the master decryptor.
Another Ransomware Departure (?)
One of the recent victims of Ragnarok includes the Italian fashion brand Boggi Milano as well. The firm suffered the attack in April and lost roughly 40GB of data to the hackers. Whereas, in 2020, the ransomware gang attracted media attention for its massive campaigns exploiting Citrix vulnerability.
Although Ragnarok wasn’t as furious as REvil or DarkSide, it hadn’t expressed any intentions of a departure either. So it remains unclear if the Ragnarok threat actors have truly decided on a shutdown or not.
Given the increased security attention that ransomware has recently attracted, this might be a hasty move to evade any legal issues. Or, the threat actors might be planning a rebranding, just like DoppelPayemer did lately.
Ziggy and Fonix are two ransomware gangs that shut down operations this year. Then, REvil, Avaddon, and DarkSide, also went offline lately.
However, Avaddon and DarkSide soon reemerged as Haron and BlackMatter ransomware, respectively.