SoylentNews

Arthur T Knackerbracket [soylentnews.org] writes:

--- --- --- --- Entire Story Below - Must Be Edited --- --- --- --- --- --- ---

Arthur T Knackerbracket has processed the following story [threatpost.com]:

The Ragnarok gang, also known as Asnarok, closed up shop this week, publishing the news to their public website, according to a post [therecord.media] published Thursday by analyst firm Recorded Future’s The Record, among other sources.

As a parting “gift,” the group released their decryptor, hardcoded with a master decryption key, for free as well on the portal. Previously, the site was primarily the place where Ragnarok would publish data from victims who refused to pay ransom.

“Ragnarok now becomes the third ransomware group that shuts down and releases a way for victims to recover files for free this summer, after the likes of Avaddon [threatpost.com] in June and SynAck  [threatpost.com]earlier this month,” according to The Record.

Several security researchers have confirmed that the Ragnarok decryptor works, according to the post. It’s currently being analyzed and researchers will eventually release a clean version that is safe to use on Europol’s NoMoreRansom portal [nomoreransom.org].

Ragnarok, active since late 2019, was seen in April in an attack [threatpost.com] on luxury Italian men’s clothing line Boggi Milano. The gang xfiltrated 40 gigabytes of data from the fashion house, including human resources and salary details.

Ragnarok’s typical modus operandi was to use exploits to breach a target company’s network and perimeter devices. From there it would work from the internal network to encrypt an organization’s servers and workstations.

Ragnarok also was of one of a number of ransomware groups that would not just encrypt but also steal files so it could threaten to leak them on its portal to pressure victims to pay demanded ransoms, and then make good on the threat if the threat actors didn’t receive their money by an appointed deadline.

Targeting Citrix ADC gateways was a specialty of the group, which also was behind the campaign that exploited a zero-day in the Sophos XG firewalls [threatpost.com], according to the post.

“While the zero-day exploit worked and allowed the gang to backdoor XG firewalls across the world, Sophos spotted the attack in time [sophos.com] to prevent the group from deploying its file-encrypting payload,” according to the Record.

The gang is the latest ransomware group to shutter operations, due in part to mounting pressures and crackdowns from international authorities that already have led some key players to cease their activity. In addition to Avaddon and SyNack, two heavy hitters in the game — REvil [threatpost.com] and DarkSide [threatpost.com] – also closed up shop recently.

Other ransomware groups are feeling the pressure in other ways. An apparently vengeful affiliate of the Conti Gang recently leaked the playbook [threatpost.com] of the ransomware group after alleging that the notorious cybercriminal organization [threatpost.com] underpaid him for doing its dirty work.

However, even as some ransomware groups are hanging it up, new threat groups that may or may not have spawned from the previous ranks of these organizations are sliding in to fill the gaps they left.

Indeed, some think Ragnarok’s exit from the field also isn’t permanent, and that the group will resurface in a new incarnation at some point.

Original Submission