Ragnarok ransomware announces closure and release of decryption key

In April 2020, the Portuguese energy giant EDP was attacked by a ransomware group and lost 10TB of data. The ransomware group threatened that if EDP did not pay a ransom of $10.9 million, the data would be made public. In November of the same year, the well-known game developer Capcom was attacked by the ransomware group, which stole the personal data of 390,000 customers, business partners, and other external parties.

PGA ransomware

And this ransomware group operates the infamous ransomware Ragnarok, sometimes called Asnarok. Recently, the ransomware group decided to shut down and announce all decryption. If the victim does not destroy the encrypted data, they can now use these keys to restore all files. Of course, considering the time has passed so long, it doesn’t make much sense to recover data now, because these victims must have used other methods to recover data.

Ragnarok’s strategy is the same as that of most current ransomware gangs—first lurks and collects all data of the enterprise, whether important or not, then encrypts all data using RSA2048 and above algorithms and completely deletes the original data, and then send a blackmail letter to the victim asking the company to pay a high ransom in exchange for the key. If the ransom is not paid, not only the data will be encrypted and cannot be recovered, but the stolen private data will also be made public.

Last week, Ragnarok announced on the dark web that the team had decided to withdraw from the ransomware market and disclose the encryption keys of all the victim companies. A total of 12 companies were attacked. These companies were from France, Estonia, Sri Lanka, Turkey, Thailand, the United States, Malaysia, Hong Kong, Spain, and Italy have industries ranging from manufacturing to legal services.

Ransomware expert Michael Gillespie told BleepingComputer that the Ragnarok decryptor released today contains the master decryption key.

“[The decryptor] was able to decrypt the blob from a random .thor file”

For companies with technical capabilities, if necessary, they can directly use the decryptor to restore encrypted files. If they do not have the technical capabilities, they can also use decryptors developed by third-party companies to decrypt. At present, security software developer Emsisoft is using the master decryptor makes an easy-to-use decryption tool.