Ragnarok ransomware group seemingly retires, releases decryption keys

Daniel Sims

Posts: 108   +5
Staff
What just happened? Without explanation, the Ragnarok ransomware group seems to have disappeared, publicly releasing a decryption key that can decrypt any files locked by their ransomware. It is unknown whether Ragnarok is truly retiring or if it's simply retreating into the shadows to plan more surprise attacks.

BleepingComputer first reported on the disappearance, noticing Ragnarok's leak site had been wiped clean. According to security company HackNotice, from July through mid-August, Ragnarok had listed a dozen victims on its site from multiple countries whose files it had stolen and was threatening to leak if they didn't pay the ransom.

Now all that's left is a link to a file containing the master decryption key for their ransomware. Michael Gillespie, who is known for fighting ransomware, confirmed to BleepingComputer that the key on the site can unlock any file with extensions linked to the Ragnarok group. Another security company, Emsisoft, also just released its own universal descriptor for files locked with Ragnarok ransomware.

According to BleepingComputer, Ragnarok first appeared in January 2020 when it attacked Citrix ADC servers, even trying to disable Windows Defender.

Another Ransomware group that seemingly quit this year was Darkside, the group responsible for the Colonial Pipeline attack. Some security companies, however, doubt the sincerity of these retirements.

Intel471 alleges ransomware groups that disappear, apologize, or announce amendments to their policies may just be trying to retreat from the media spotlight surrounding ransomware attacks, only to later resume attacks under new names.

Darkside apologized when it announced it was quitting back in May, but Ragnarok so far hasn't issued any statements.

Photo illustration credit The Daily Beast

Permalink to story.

 

wiyosaya

Posts: 6,525   +4,910
Maybe Emsisoft releasing a master decryption key had something to do with it? IMO, it does not really make that much sense since I would think that that would have just hardened their resolve to find a not-so-easily decryptable ransomeware attack.

But if someone can easily decrypt your attempts at cyber blackmail, it seems like trying to snare others in the trap is pointless.
 

DrSuess

Posts: 140   +109
I would think that that would have just hardened their resolve to find a not-so-easily decryptable ransomeware attack.
Right they are on to the next criminal enterprise whether that be as a group or as individuals. Criminals get use to the money and rarely quit unless they face dire consequences. And even then some still don't quit.
 
Last edited:

brucek

Posts: 899   +1,302
Here's hoping its because they're presently being held in a black site by the US or even less scrupulous government, that the master decryption key was obtained via torture, and they're not getting out anytime soon.
 

psycros

Posts: 3,613   +4,459
Here's hoping its because they're presently being held in a black site by the US or even less scrupulous government, that the master decryption key was obtained via torture, and they're not getting out anytime soon.

Its wise to never blackmail Russian companies with strong ties to the Kremlin.