Skip to main content

Ragnarok ransomware gang closes shop

(Image credit: Image source: Shutterstock/Nicescene)

Ragnarok, one of the most popular ransomware operator groups out there, has decided to abruptly called it quits. Not only has the group behind the infamous ransomware attack on Citrix ADC servers retired out of the blue, it also released a free decryption key for all of its victims.

On its website, the 12 victims that were listed there are now replaced by the information on the universal decryption key and how to use it. Multiple media outlets have reported that cybersecurity experts confirmed the authenticity of the decryptor.

Ragnarok was one of the most popular groups out there, infamous for exploiting the Citrix ADC vulnerability to find devices susceptible to EternalBlue - the same vulnerability used in the WannaCry attacks. 

It was reported that Ragnarok stole more than $4.5 million in ransom payments.

Nobody knows exactly why Ragnarok decided to jump ship, but experts believe there are two possible scenarios. In one - the group crumbled under the pressure of the US government, which recently branded ransomware as a threat to national security. 

Both REvil and DarkSide, groups that successfully targeted JBS and Colonial Pipeline, both announced their retirement earlier this year.

The other scenario is that the group is just rebranding and that it will soon return with a new name. After being idle for months, DoppelPayment ransomware group recently emerged as Grief Ransomware.