What just happened? Without explanation, the Ragnarok ransomware group seems to have disappeared, publicly releasing a decryption key that can decrypt any files locked by their ransomware. It is unknown whether Ragnarok is truly retiring or if it's simply retreating into the shadows to plan more surprise attacks.
BleepingComputer first reported on the disappearance, noticing Ragnarok's leak site had been wiped clean. According to security company HackNotice, from July through mid-August, Ragnarok had listed a dozen victims on its site from multiple countries whose files it had stolen and was threatening to leak if they didn't pay the ransom.
Now all that's left is a link to a file containing the master decryption key for their ransomware. Michael Gillespie, who is known for fighting ransomware, confirmed to BleepingComputer that the key on the site can unlock any file with extensions linked to the Ragnarok group. Another security company, Emsisoft, also just released its own universal descriptor for files locked with Ragnarok ransomware.
According to BleepingComputer, Ragnarok first appeared in January 2020 when it attacked Citrix ADC servers, even trying to disable Windows Defender.
Another Ransomware group that seemingly quit this year was Darkside, the group responsible for the Colonial Pipeline attack. Some security companies, however, doubt the sincerity of these retirements.
Intel471 alleges ransomware groups that disappear, apologize, or announce amendments to their policies may just be trying to retreat from the media spotlight surrounding ransomware attacks, only to later resume attacks under new names.
Darkside apologized when it announced it was quitting back in May, but Ragnarok so far hasn't issued any statements.
Photo illustration credit The Daily Beast