Ragnarok ransomware gang appears to have called it quits and released the master key that can decrypt files locked with their malware.
The threat actor did not leave a note explaining the move and all of a sudden replaced all the victims on their leak site with a short instruction on how to decrypt files.
The leak site has been stripped of visual elements and all that is left on the site is the brief text linking to an archive containing the master key and the accompanying binaries for using it.
Looking at the leak site, it seems like the gang did not plan on shutting down today, and just wiped everything and shut down their operation.
Up until earlier today, the Ragnarok ransomware leak site showed 12 victims, added between July 7 and August 16, threat intelligence provider HackNotice told BleepingComputer.
By listing victims on their website, Ragnarok sought to force them into paying the ransom, under the threat of leaking unencrypted files stolen during the intrusion.
The listed companies are from France, Estonia, Sri Lanka, Turkey, Thailand, U.S., Malaysia, Hong Kong, Spain, and Italy and activate in various sectors ranging from manufacturing to legal services.
Ransomware expert Michael Gillespie told BleepingComputer that the Ragnarok decryptor released today contains the master decryption key.
“[The decryptor] was able to decrypt the blob from a random .thor file,” Gillespie told BleepingComputer initially.
The researcher later confirmed that he was able to decrypt a random file, which makes the utility a master decryptor that can be used to unlock files with various Ragnarok ransomware extensions.
A universal decryptor for Ragnarok ransomware is currently in the works and will soon be released by Emsisoft, a company famed for assisting ransomware victims with data decryption.
The Ragnarok ransomware group has been around since at least January 2020 and claimed dozens of victims after making headlines for exploiting the Citrix ADC vulnerability last year.
Ragnarok is not the only ransomware gang to release a decryption key this year
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Digitpol can assist with all stages of cyber related incidents.
Contact Digitpol’s hotlines or respond to us online.
UK +44 20 8089 9944