Ragnarok ransomware gang shuts down, universal decryption key released

The notorious Ragnarok ransomware gang appears to have abruptly closed its operations and entered retirement, releasing a universal decryption key for its past victims.

The Ragnarok group, which has attacked organisations since 2019, made a name for itself by exploiting a vulnerability in unpatched Citrix ADC servers in order to hunt for a firm’s Windows PCs that were vulnerable to the EternalBlue exploit.

At-risk devices then had the Ragnarok ransomware installed onto them, encrypting data files and demanding a Bitcoin ransom payment for their recovery.

Notably, the Ragnarok ransomware attempted to determine if a computer was likely to be running inside Russia, Belarus, China, Turkmenistan, Ukraine, Latvia, Kazakhstan, and Azerbaijan – and, if so, refuse to operate.

In all likelihood, Ragnarok was configured to only activate outside these territories in an attempt to avoid investigation of the gang by local law enforcement.

But now Ragnarok’s portal on the dark web is offline, and what claims to be a universal decryption key has been released.

According to Bleeping Computer, ransomware experts have confirmed that the decryption key will unscramble victims’ data.

The gang, which is believed to have received over $4.5 million in ransom payments over the years, appears to have had a change of heart.

This might be a reflection of concern that computer crime-fighting authorities are showing a greater interest in the ransomware gang’s activities, perhaps prompted by growing international pressure for the countries harbouring cybercriminals to do more to disrupt their activities.

With no public explanation offered as to why the Ragnarok gang has chosen to leave the stage, it’s hard to be certain of the group’s reasoning for its abrupt departure from the cybercrime scene.

Of course, it’s possible that the Ragnarok gang hasn’t actually had a change of heart at all, and has instead simply chosen to lie low for a few months before possibly emerging with a new name and brand.

Whatever the reason, for now at least, we should be grateful that another ransomware gang appears to have hit the self-destruct button.