Ragnarok group, active since 2019, has announced its exit from the business and released the master key for decryption of locked files. The group did not provide any note or explanation behind this step.

What happened?

According to researchers, Ragnarok’s sudden disappearance may not be a planned one.
  • As soon as the group announced the retirement, its leak site had all of its visual elements removed, with a short text linking to an archive.
  • The archive contained the master key, along with binaries for using it.
  • Furthermore, the attackers replaced all the victim names on their leak site with a short note on how to unlock files.
  • A universal decryptor for Ragnarok ransomware has been released by Emsisoft. 

About the victims

  • The leak site showed 12 victims, who were added between July 7 and August 16.
  • The victim firms are located in Sri Lanka, Estonia, Turkey, Thailand, France, the U.S., Malaysia, Spain, Italy, and Hong Kong, across multiple sectors.

Recent exit announcements

Ragnarok ransomware is not the only group that has recently released a decryption key to unlock data. Lately, multiple groups announced their exit and released decryptors.
  • The SynAck ransomware group rebranded itself as El_Cometa and then released the master decryption keys. Additionally, the attackers released a manual for using the keys.
  • In February, Ziggy ransomware shut down and shared a file with 922 keys. In May, Conti ransomware provided a free decryptor to HSE Ireland and Avaddon released the decryption keys as well.

Ending thoughts

This year, the trends of rebranding, shutting down, and releasing master keys among ransomware groups have gained traction. In this case, one of the possibilities could be the increased pressure from global enforcement agencies. In the meantime, organizations must stay cautious since more new ransomware groups have been coming up in the threat landscape.

Cyware Publisher

Publisher

Cyware