Ragnarok, a ransomware gang operational since 2019 that gained notoriety after launching attacks against unpatched Citrix ADC servers, has shut down and released a free decryption key for its victims.
The gang, sometimes referred to as Asnarok, last week replaced all 12 of the victims listed on its dark web portal with a short instruction on how to decrypt files. This was accompanied by the release of a decryptor, which experts at Emsisoft confirmed contains the master decryption key. The security firm, known for assisting ransomware victims with data decryption, has also released a universal decryptor for Ragnarok ransomware.
Ragnarok is best known for using the Ragnar Locker ransomware to target IT networks. It claimed dozens of victims after exploiting a Citrix ADC vulnerability to search for Windows computers that are vulnerable to the EternalBlue vulnerability — the same vulnerability behind the now-notorious WannaCry attack — and has racked up more than $4.5 million in ransom payments, according to the Ransomwhe.re payments tracker.
In April 2020, the cybercriminals stole 10 terabytes of data belonging to Portuguese energy giant EDP and threatened to leak it if a ransom of $10.9 million was not paid. The gang went on to exfiltrate up to 2TB of data, including bank statements, employee records and celebrity agreements, from the servers of Italian liquor giant Campari Group, and demanded it hand over $15 million in ransom.
And in November, the short-lived ransomware gang also targeted Capcom, the Japanese video games giant behind titles such as Street Fighter, Resident Evil and Devil May Cry. The gang reportedly stole the personal data of 390,000 customers, business partners and other external parties from Capcom’s systems.
News of the shutdown was first reported by Bleeping Computer.
With no formal departure note, it’s not clear why Ragnarok has seemingly decided to call it quits. But other ransomware gangs have adopted a similar self-destruction tactic in the face of increasing pressure from the U.S. government, which earlier this year branded ransomware as a national security threat; REvil, the gang behind the JBS attack, mysteriously disappeared from the internet, and DarkSide, the gang behind the Colonial Pipeline incident, also announced it was retiring.
Other ransomware gangs, including Ziggy Avaddon, SynAck and Fonix, have also all retired from hacking this year, each giving up their keys to help victims recover from their attacks.
Of course, it remains to be seen whether Ragnarok's disappearance is permanent, or whether it will simply rebrand; the infamous DoppelPayment ransomware gang recently reappeared as Grief Ransomware after months of no activity.