Ragnarok (aka Asnarök) ransomware was shut down. The ransomware operators announced the termination of all operations and released a free utility to decrypt files.
Researchers have noticed the termination of the activities of the group on the official Ragnarok website on the darknet. The fact is that the site of the criminals suddenly lost all visual elements, and information about all the victims of the ransomware was replaced with a short instruction on how to decrypt the files.A link to the archive containing the master key and related binaries is attached. The hackers did not reveal what exactly caused this unexpected termination of all operations.
The publication Bleeping Computer writes that the well-known information security expert Michael Gillespie has already confirmed that the decryptor contains the master key needed to save the data, and is successfully decrypting files.
The cybercriminals’ utility is currently being studied by experts, and soon antivirus companies (for example, Emsisoft) promise to provide their own safe versions of the tool.
The cyber ransomware group Ragnarok began its activity in late 2019 – early 2020. Using exploits, hackers hacked into network and perimeter security devices and made their way through them to key servers and workstations.
Typically, the group attacked Citrix ADC gateways. In addition, it was behind the sensational wave of attacks on Sophos XG firewalls through a zero-day vulnerability. While the exploit was working and allowed Ragnarok to install a backdoor in Sophos XG firewalls around the world, Sophos detected the attacks in a timely manner and blocked hackers from deploying ransomware.
A month before leaving the cybercriminal arena, the group changed the design of its website, deleted the data of most of its old victims, and then even renamed to Daytona by Ragnarok.
Ragnarok is not the first ransomware to announce its shutdown this year. So, in the spring the ransomware Ziggy was closed, and its operators published the keys to decrypt the data and promised to return the money to the victims.
Then, after sensational attacks on critical infrastructure, as well as Colonial Pipeline and JBS, Avaddon ransomware, whose keys were also published, stopped working. And finally, earlier this month, the hack group El_Cometa, formerly known as SynAck, released master keys to decrypt data that was hit by their ransomware attacks between July 2017 and early 2021.