Ragnarok shuts down and releases the decrypter

The criminal group Ragnarok has ceased operations and released a free decrypter to enable victims to recover encrypted files.
The decrypter was published on the criminal group’s page used to post files related to victims who refused to pay.

Multiple security researchers have already confirmed that the decrypter functions correctly and is currently undergoing analysis to create a secure version for publication on the Europol NoMoreRansom website.

Initial Ragnarok operations were documented in 2019. The threat actors exploited vulnerabilities to compromise perimeter systems and conducted lateral movement across internal networks, encrypting servers and workstations.
Among the most frequently exploited vulnerabilities by this group were those affecting Citrix ADC gateways and a zero-day exploit targeting Sophos XG firewalls.
To increase ransom payment likelihood, Ragnarok combined data encryption with exfiltration (TA0010), subsequently threatening victims if payment was not received within the specified timeframe.

Following Avaddon and SynAck, Ragnarok represents the third criminal group that dismantled its infrastructure and operations during this period, publishing a decryption tool. Tracking such operational shutdowns and Cyber Threat Intelligence on group infrastructure transitions provides critical indicators for understanding ransomware-as-a-service ecosystem dynamics and potential actor rebranding or consolidation patterns.