{"id":3113,"date":"2021-08-30T14:47:33","date_gmt":"2021-08-30T12:47:33","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3113"},"modified":"2026-06-08T23:07:56","modified_gmt":"2026-06-08T23:07:56","slug":"ragnarok-shutdown-decrypter-released","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ragnarok-shutdown-decrypter-released\/","title":{"rendered":"Ragnarok shuts down and releases the decrypter"},"content":{"rendered":"\n<p style=\"text-align: justify\">The criminal group <strong>Ragnarok<\/strong> has ceased operations and released a <strong>free decrypter<\/strong> to enable victims to recover encrypted files.<br \/>The decrypter was published on the criminal group&#8217;s page used to post files related to victims who refused to pay.<\/p>\n<p style=\"text-align: justify\">Multiple security researchers have already confirmed that the <strong>decrypter<\/strong> functions correctly and is currently undergoing analysis to create a secure version for publication on the Europol <a href=\"https:\/\/www.nomoreransom.org\/en\/decryption-tools.html\" class=\"ek-link\">NoMoreRansom<\/a> website.<\/p>\n<figure id=\"attachment_3137\" aria-describedby=\"caption-attachment-3137\" style=\"width: 676px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/Ragnarok-content.png\" alt=\"\" width=\"686\" height=\"177\" class=\"wp-image-3137 size-full\" loading=\"lazy\" \/><figcaption id=\"caption-attachment-3137\" class=\"wp-caption-text\">Decrypter file<\/figcaption><\/figure>\n<p style=\"text-align: justify\">Initial Ragnarok operations were documented in <strong>2019<\/strong>. The threat actors exploited vulnerabilities to compromise perimeter systems and conducted lateral movement across internal networks, encrypting servers and workstations. <br \/>Among the most frequently exploited vulnerabilities by this group were those affecting <strong>Citrix ADC gateways<\/strong> and a zero-day exploit targeting <strong>Sophos XG firewalls<\/strong>.<br \/>To increase ransom payment likelihood, Ragnarok combined data encryption with <strong>exfiltration<\/strong> (TA0010), subsequently threatening victims if payment was not received within the specified timeframe.<\/p>\n<p style=\"text-align: justify\">Following <strong>Avaddon<\/strong> and <strong>SynAck<\/strong>, Ragnarok represents the third criminal group that dismantled its infrastructure and operations during this period, publishing a decryption tool. Tracking such operational shutdowns and <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> on group infrastructure transitions provides critical indicators for understanding ransomware-as-a-service ecosystem dynamics and potential actor rebranding or consolidation patterns.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ragnarok ransomware operation closure with public master decrypter release: scope of recovery for past victims and operator transition signals.<\/p>\n","protected":false},"author":1,"featured_media":3142,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1665,3292,3293,281,1667,3269],"class_list":["post-3113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-decryptor-it","tag-master-decrypter","tag-operator-exit","tag-ragnarok","tag-ragnarok-it","tag-ransomware-shutdown"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3113"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3113\/revisions"}],"predecessor-version":[{"id":9904,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3113\/revisions\/9904"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}