Small metal key on computer circuit board showing Ragnarok ransomware master decryptor key

Ragnarok Ransomware Gang Closes Up Shop, Leaves Master Decryptor Key Behind

The Ragnarok ransomware gang, which has terrorized all types of organizations around the world since 2019, appears to have gone out of business. The group has scrubbed its public presence from the dark web, leaving behind a master decryptor key at the “leak site” it used to blackmail its victims.

The master decryptor key was quickly verified as authentic and functional by security firm Emsisoft and researcher Michael Gillespie of ID Ransomware. It appears to unlock any file encrypted by the Ragnarok ransomware; Emsisoft is currently working on a easy-to-use universal decryptor tool that will be made available to victims for free via the Europol NoMoreRansom Portal.

Ragnarok ransomware gang takes a hiatus

The Ragnarok ransomware gang did not make any sort of public announcement about going out of business, simply scrubbing the contents of its leak site unexpectedly and replacing it with the master decryptor key and a brief note explaining how to use it.

Ragnarok is among the ransomware groups that has added the element of blackmail to its attacks, exfiltrating sensitive files from targets (usually customer and employee personal data or confidential business information) and threatening to make them public on the leak site if the ransom is not paid. Prior to disappearing and dropping the master decryptor key, the Ragnarok leak site had the names of 12 victims listed as being actively extorted in this way. The site only left one clue as to the group’s future intentions, leaving a cryptic line about “Daytona by Ragnarok.”

The Ragnarok ransomware group is thought to have been in operation since 2019, notching its first high profile attack in January 2020 when it exploited a published vulnerability in Citrix network devices to compromise a number of systems around the world. The group is thought to be based in or around Russia given that the Ragnarok ransomware code contains an exclusion for systems that have Russian or Chinese language settings.

The move comes amidst a minor wave of public shutdowns of ransomware groups, which may have been spurred by increased attention on them after a string of high profile attacks targeting critical infrastructure. Other groups have voluntarily offered up free master decryptor keys before disappearing in recent months, including Conti and Avaddon. This fits an established pattern of ransomware gangs dispersing after becoming a little too successful and drawing a little too much attention, frequently taking several months off before reforming under a new name and going straight back to business.

This isn’t a universal trend, however; some ransomware groups have decided to issue public statements about their decisions to close up shop, and some have even reached out directly to media organizations (as the Maze group did with BleepingComputer when it folded in 2020). These groups have generally only offered a self-serving rationale, rather than providing a master decryptor key to assist previous victims.

Release of master decryptor key provides relief for organizations

The appearance of the master decryptor key is a great relief to the dozen organizations that the Ragnarok ransomware gang was still trying to exploit at the time of their disappearance, along with likely thousands of systems locked up from previous infections. The ransomware gang had been asking for an average price of 0.02 BTC (about $290 USD) for each computer infected, raising rates for larger organizations with deeper pockets.

One of the Ragnarok ransomware group’s last major scores was an April attack on Italian fashion line Boggi Milano, in which it stole 40 gigabytes of internal data including human resources and payroll files. In addition to being quick to move on the Citrix ADC vulnerability after it was disclosed (and while many machines remained unpatched), Ragnarok was one of the first groups to target the Sophos XG firewall vulnerability that appeared in April of last year. The group was found to have penetrated some targets and exfiltrated some files, but Sophos detected the attacks and issued a hotfix that prevented the deployment of the Ragnarok ransomware on patched systems. In 2020 it also successfully attacked video game company Capcom and Portuguese energy giant EDP, deploying ransomware attacks and exfiltrating sensitive files in both cases.

Ransomware has trended upwards in recent years, and attacks are projected to continue increasing as it continues to prove to be a lucrative and successful option for cyber criminals. The practice of data exfiltration and blackmail in tandem with ransomware deployment is still something done by only a relatively small minority of attackers, but is also projected to become more popular as it has seemed to lead to better outcomes for threat actors like the Ragnarok ransomware group. There has also been a strong trend toward specific targeting of large organizations that have the resources to pay, and more players are getting into the game by way of “ransomware as a service” outfits that allow for outsourcing of the more technical aspects of the attack in return for a cut of the plunder.

Other groups have voluntarily offered up free master decryptor keys before disappearing in recent months. This fits an established pattern of #ransomware gangs dispersing after becoming a little too successful. #cybersecurity #respectdataClick to Tweet

Jorge Orchilles, CTO of SCYTHE, celebrates the end of Ragnarok ransomware but cautions that the problem is not going away any time soon: “Good riddance. It is great to hear that some of these gangs are shutting down but take it with a grain of salt. They may be taking a vacation with the millions of dollars they have made but most likely they are re-investing, re-organizing, and maturing their operations. Organizations should continue to focus on detecting and responding to malicious behavior in their environments.”


Senior Correspondent at CPO Magazine