Ragnarok Ransomware Gang Releases Decryptor
The hacking group Ragnarok, which has been active since late 2019, released the key to unlocking victims' files on its dark web portal. The gang, also known as Asnarok, shut down this weekand and issued the news to their public website. The group released their decryptor which was hardcoded with a master decryption key for free. Previously, the site was where Ragnarok would publish data from victims who refused to pay ransom. Ragnarok is the third ransomware group that shut down and release a way for victims to recover files for free this summer, after Avaddon in June and SynAck earlier this month. Several security researchers confirmed that the Ragnarok decryptor works. It's currently being analyzed and researchers will eventually release a clean version which is safe to use on Europol's NoMoreRansom portal.
Ragnarok used exploits to breach a target company's network and perimeter devices. From there it would work from the internal network to encrypt an organization's servers and workstations. Ragnarok also was of one of seveal ransomware groups that would not just encrypt but also steal files so it could blackmail victims to pay the ransom. If the ransom wasn't paid by the deadline, they would make good on the threat.
Targeting Citrix ADC gateways was a specialty of the group, which also was behind the campaign that exploited a zero-day in the Sophos XG firewalls. While the zero-day exploit worked and allowed the gang to backdoor XG firewalls across the world, Sophos spotted the attack in time to prevent the group from deploying its file-encrypting payload.
Ragnorok is the latest ransomware group to shutdown, due in part to mounting pressures and crackdowns from international authorities that already have led some grojps to cease their activity. In addition to Avaddon and SyNack, REvil and DarkSide also closed up shop recently. Ransomware groups are getting pressure in other ways. A vengeful affiliate of the Conti Gang recently leaked the playbook of the ransomware group after the organization underpaid them for their services.
Even as some ransomware groups are closing up, new groups may have spawned from the previous ranks of these organizations are coming in to fill the gaps. Haron and BlackMatter are among those that have recently emerged with intent to use ransomware to target large organizations that can pay million-dollar ransoms to fill their pockets.