Ragnarok Ransom Gang Closes Up Shop, Free Decryptor Released

The same web page was previously used by the Ragnarok cyber criminals to publish information exfiltrated from victims who refused to play along and give in to the threats of double extortion.

The little decryptor file-suite comes with very simple instructions on the Ragnarok gang website. Victims are supposed to paste their device ID into a plain text file, then run two consecutive executables, one called 'decode_deviceID.exe' and the other - 'decrypt.exe'.

According to reports, the decryption toolkit provided by Ragnarok has already been tested by a number of different security researchers and is confirmed to work as intended on files scrambled by Ragnarok/Ragnar Locker ransomware. In addition to this, the decryption toolkit is being examined in detail and reverse-engineered by experts. The goal is to produce an official, potentially safer version of the decryptor which can be officially distributed through the international Europol portal dedicated to fighting ransomware and helping ransomware victims worldwide.

The Ragnarok ransomware gang show up on the radar of security researchers in the second half of 2019 and became more active in 2020. Like so many other ransomware threat actors in recent years, Ragnarok started exfiltrating files from compromised networks before encrypting them. This has become a widely used double extortion tactic, threatening to leak sensitive information and files online if ransom isn't paid, as an added attack in addition to the encryption.

The Ragnarok ransomware was used in attacks exploiting a firewall zero-day vulnerability and targeting Citrix ADC gateways. The vulnerability was in a Sophos product, and thankfully the Sophos teams managed to stop the actual encrypting payload of the ransomware from wrecking their customers' systems, even if the hackers initially managed to get in using the zero-day.

There seems to be an ongoing trend among ransomware threat actors to quietly withdraw from the digital landscape and quietly fade into the background. In the summer of 2021 alone, two other ransomware gangs known by the aliases of SynAck and Avaddon also packed their bags and released their master decryption tools for free.

Assuming two other huge ransomware threat actors - DarkSide and REvil also really shut down their operations and are not quietly rebranding and re-organizing under a new name. This is great news for everyone and could indicate that forces may be at work, tightening the legal grip around the necks of ransomware crews enough to scare them into closing up shop for good.