Ragnarok Ransomware Gang Retires

The notorious ransomware gang Ragnarok has shut down and released a free decryption key for its victims.

Ragnarok abruptly shut down its operation last week, and publicly released a decryption tool allowing victims to recover the data that the attacks have encrypted. The Ragnarok ransomware group gained notoriety in 2019 for launching attacks against Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP devices, and later Sophos Firewall devices. The gang favoured a “doxware” or double extortion approach, where victims’ data is encrypted as well as stolen, with a threat to leak the stolen data online unless the ransom is paid.

Last week, all of the 12 victims listed on Ragnarok’s dark web portal were removed and replaced with a link to the decyption tool, which experts Emsisoft have verified contains the master decryption key. It’s unknown why the ransomware group have ceased operations, and it’s likely we’ll never know. Ragnarok was known for using the Ragnar Locker ransomware to target IT networks, and claimed dozens in victims in the short period it was in operation. According to the Ransomwhe.re payments tracker, Ragnarok have claimed more than $4.5m in ransom payments.

In the short period – less than two years – that the Ragnarok Gang were in operation, they have launched a number of high-profile attacks, some of which we’ve covered here. In November 2020, they launched an attack on Japanese video game developer Capcom, best known for franchises including Monster Hunter and Resident Evil.