Ransomware Ragnarok closes and publishes decrypter

Ransomware group Ragnarok (Asnarök) announced the end of its activities and published a free utility to recover encrypted files. The free decryptor, with an embedded master key, was posted on Thursday, August 26, on the group’s dark web portal, where the group had previously posted data on victims who refused to pay the ransom.

Several security researchers studied the decryptor and confirmed its authenticity. They are currently carrying out a detailed analysis of the tool, with the aim of rewriting it in a safe and easy-to-use version, which will later be published on Europol’s NoMoreRansom portal.

Ransomware group Ragnarok started its activities in late 2019 – early 2020. Using exploits, it hacked into network security devices, servers and workstations.

To increase the chances of getting the victim’s ransom, the attackers also stole files from the attacked network and threatened to publish them on their dark web portal if the money wasn’t transferred within the allotted time.

Typically, the group attacked Citrix ADC gateways. The group was also behind the wave of attacks on Sophos XG firewalls through a zero-day vulnerability. While the exploit was working and allowing Ragnarok to install a backdoor into Sophos XG firewalls around the world, Sophos timely detected attacks and prevented hackers from deploying more ransomware.

A month ago, the group changed the design of its website, deleted data from most of its previous victims, and even renamed it Daytona.

Ragnarok is the third group of ransomware to release a recovery decryptor. In June, decryption keys were published by the Avaddon group and earlier this month by SynAck.