[TheRecord] Ragnarok ransomware operation shuts down and releases free decrypter

The Ragnarok (or Asnarök) ransomware gang shut down their operation today and released a free decryption utility to help victims recover their files.

The free decrypter, hardcoded with a master decryption key, was released today on the gang’s dark web portal, where the group previously used to publish files from victims who refused to pay.

Image: The Record
Image: The Record
Image: The Record

The decrypter, which has been confirmed to work by multiple security researchers, is currently being analyzed before security firms will rewrite a clean and safe-to-use version that will be made publicly available through Europol’s NoMoreRansom portal.

Prior to shutting down earlier today, the Ragnarok gang had been active since late 2019 and early 2020.

The gang operated by using exploits to breach a target company’s network and perimeter devices, from where it would pivot to internal networks and encrypt crucial servers and workstations.

To improve its chances of getting paid, the Ragnarok gang also stole files from victim networks, which it threatened to leak on its dark web portal unless the ransom was paid on time.

The group historically targeted Citrix ADC gateways and was also behind the campaign that exploited a zero-day in the Sophos XG firewalls. While the zero-day exploit worked and allowed the gang to backdoor XG firewalls across the world, Sophos spotted the attack in time to prevent the group from deploying its file-encrypting payload.

A month before shutting down today, the Ragnarok team changed the design of its site, removed most past victims, and later even rebranded as “Daytona by Ragnarok.”

New leak site for Ragnarok ransomware pic.twitter.com/ZvbXt7LPpm

— Catalin Cimpanu (@campuscodi) July 28, 2021

Ragnarok now becomes the third ransomware group that shuts down and releases a way for victims to recover files for free this summer, after the likes of Avaddon in June and SynAck earlier this month.

The post Ragnarok ransomware operation shuts down and releases free decrypter appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Golang Cryptomining Worm Offers 15% Speed Boost

All posts, ThreatPost

The latest variants of the Monero-mining malware exploit known web server bugs and add efficiency to the mining process. Source: Read More (Threatpost)

Read More

Daily NCSC-FI news followup 2021-05-28

APT29: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to […]

Read More

[TheRecord] US fines former NSA employees who provided hacker-for-hire services to UAE

The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company. Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department’s Directorate of Defense Trade Controls (DDTC) […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.