Soon after the end of Ragnarok ransomware, the master key gets released

Victims of the cryptovirus will be able to decrypt their files now

Ragnarok reached the endSoon after the end of the ransomware, the gang behind it released the decryption key

A group of threat actors, known as the Ragnarok ransomware gang, seems to have ended their career in cybercrimes and even released the master key that can decrypt files locked with their malware.[1] It is unclear what is the motive of such a move, but all of a sudden, all the victims on gangs’ leak sites were replaced with short instructions on how to decrypt files.

The decrypter seems to be really working and is currently being analyzed in order to allow security firms to rewrite a clean and safe-to-use version that will be made publicly available through Europol’s NoMoreRansom portal. It seems that big changes for the group were in the works for months as the team has already changed the design of its site, removed most past victims, and later even rebranded as ''Daytona by Ragnarok''.

If Ragnarok[2] is really and truly gone, it will join the list of three other ransomware groups that have already shut down and released a way for victims to recover files. This summer Avaddon and SynAck did the same.

The gang used to target networks of various companies

Ragnarok gang has been active since late 2019 and early 2020. Threat actors were using exploits to breach a target company’s network and perimeter devices, from where it would pivot to internal networks and encrypt crucial servers and workstations.

To improve its chances of getting paid, the Ragnarok gang also stole files from victim networks, which it threatened to leak on its dark web portal unless the ransom was paid on time. The ransomware was responsible for file encryption and was typically executed on the compromised machines by the actors themselves.[3]

This spring Ragnarok hit luxury Italian men’s clothing line Boggi Milano, WHEN exfiltrated 40 gigabytes of data from the fashion house, including HR and salary details. Back then, nobody knew how much Ragnarok wants in ransom to return the files.[4] The group would tend to targeted Citrix ADC gateways and was also behind the campaign that exploited a zero-day in the Sophos XG firewalls. It worked only partly as Sophos sported the attack in time and had time for prevention.

Ransom gangs are leaving the crime world as new faces join

One of the most prolific ransomware gangs in the world also disappeared from the internet in July. A ransomware gang known as REvil has existed for years, a massive 42% of all recent ransomware attacks trace back to this gang, but they're known for two hacks in particular.

The gang hit at least 1,000 businesses by attacking the software company Kaseya. It was one of the widest ransomware campaigns ever conducted. REvil also hit the meat supplier JBS and demanded payment of $11 million. Even as world leaders turned their attention to ransomware and threatened action, REvil was defiant.[5]

However, as some of the gangs leave the crime scene, others just join in. Cybersecurity researchers have warned of four emerging families of ransomware that could pose a significant cybersecurity threat to businesses. One of these is LockBit 2.0, a ransomware-as-a-service operation. AvosLocker, Hive, and Hello Kitty ransomware could cause significant danger too.[6]

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions