Site navigation

Ragnarok Ransomware Group Joins List of Disbanded Cybercrime Gangs

Michael Behr


Ragnarok ransomware
Crisis of conscience, pressure from the authorities, or just off to spend their money – why are so many ransomware groups disbanding?

Infamous ransomware gang Ragnarok has appeared to shut down its operations and released a decryption key for its victims.

The group, also known as Asnarok, provided instructions on how to decrypt files on its dark web portal.

The news was first reported by Beeping Computer, who noted that the instructions now replaced a list of victims on their site. In addition, visual elements have been removed, leaving only a link to the decryption tools.

Since appearing in 2019, the group has targeted unpatched Citrix ADC servers using the Ragnar Locker ransomware. This exploit allowed it to search for vulnerable Windows computers and exploit the EternalBlue flaw.

EternalBlue is the same vulnerability that was exploited in the infamous WannaCry ransomware attack in 2017, which caused millions of dollars of damage after infecting over 200,000 computers.

Ragnarok has allegedly made over $4.5 million from dozens of victims through its activities.

One of the gang’s highest profile attacks was in April last year, when it extorted Portuguese energy company EDP for $10.9 million after stealing 10 terabytes of data. It also demanded $15 million from Italian liquor company Campari Group for 2TB of data.

While using decryption tools provided by criminal groups can be risky, the one provided by Ragnarok was confirmed to contain the master decryption key by security experts at Emsisoft. The company had been developing a universal decryptor for Ragnarok’s malware.

Ragnarok did not leave a note explaining their reasons for disbanding.


Cybercriminal groups going offline is not a rare occurrence, and there are several reasons behind it. Some of them go dark after a high-profile case draws too much attention to them.

Perhaps the highest profile case in recent years was the disappearance of notorious hacker group REvil. The Russia-linked group was widely believed to be behind the Kaseya and JBS ransomware attacks, the later which likely netted the criminals an $11 million ransom.

The move came after US President Joe Biden discussed global cybersecurity with his Russian counterpart, Vladimir Putin.

This led to speculation that REvil was taken down by either Russian or US authorities. However, given the lucrative and well-publicised attacks they made this year, the criminals could simply have taken the money and run.

Sometimes, cybercriminals have a change of heart. The people behind Ziggy, a minor and unsophisticated ransomware gang, refunded the money they extorted from their victims after claiming a change of heart.

However, while cybercriminal groups may come and go, the criminals themselves are fully capable to remerging later under a new guise.

Michael Behr

Senior Staff Writer

Latest News

Business Technology
Business Data Analytics
%d bloggers like this: