The Ragnarok ransomware gang has reportedly released the master key that can unlock files that were locked with their malware.
The threat actor did not leave a note explaining their move. Instead, on their leak site, they replaced all the victims with a short instruction on how they can decrypt files.
The site has been stripped of all visual elements and only contains a brief text that links to an archive that contains the master key and the associated binaries.
It seems that the gang did not plan to shut down their operation, and it was a rushed decision.
The Ragnarok’s leak site had 12 victims listed since July. By listing the victims of their attack on their website, Ragnarok tried to force them to pay the ransom. They also threatened victims with leaking sensitive files on the site.
The companies listed on this page are from various countries such as U.S., Turkey, France, Spain, Estonia, and Italy.
Ransomware expert Michael Gillespie told BleepingComputer that the released Ragnarok decryptor indeed contained the master decryption key. The researcher was able to successfully extract a random file from a macOS file confirming the utility can then be used to unlock various files with the Ragnarok ransomware extensions.
“[The decryptor] was able to decrypt the blob from a random .thor file,” Gillespie told BleepingComputer.
Emsisoft, a developer of various encryption tools, is currently working on a universal decryptor for the Ragnarok ransomware. This will be released shortly.
The Ragnarok ransomware group was around since January 2020. It gained notoriety for infecting users after exploiting the Citrix ADC vulnerability.