Universal Decryption Master Key Released as the Ragnarok Ransomware shuts down

September 5, 2021
Universal Decryption Master Key Ragnarok Ransomware shuts down

The sudden disappearance of the group may be a surprise for the business, as reported by cyber researchers. Ragnarok, ransomware mainly used in attacks against unpatched Citrix servers and has been active since 2019, has declared to shut down their business operations. They have also been reported to release the master key to decrypt all locked files for their target victims. 

Along with the group’s withdrawal announcement comes the shutdown of their leaked website, with all of the visual elements deleted, leaving only a short text that links to an archive. Once clicked, the archive will show the master key and the binaries to use with it. 


The attackers from Ragnarok have also changed the victims’ names with a note, instructing each of them on how to unlock their respective stolen files. 


Emsisoft, an anti-virus distributed software company, known for decrypting ransomware attacks in data restoration, has released the universal decryptor for Ragnarok. 

The list of their victims from the group’s leaked website, recorded between July 7 to August 16 this year, has shown 12 entries. These victims were sited in different countries such as Estonia, France, Hong Kong, Malaysia, Italy, Sri Lanka, Spain, Turkey, Thailand, and the U.S. 


Other quitting announcements 

Recently, several ransomware groups have also announced their exit from the cyber hacking industry aside from Ragnarok. These groups have also release decryption keys to unlock victim information. 

Last February this year, a ransomware group called Ziggy has announced its withdrawal and released over 900 keys. And then, in May, the Conti ransomware group has provided decrypting keys for free towards HSE Ireland. The same goes for Avaddon and SynAck ransomware groups. 



This year has recorded a rise in trend amongst ransomware groups regarding their rebranding, shutting down, and up to releasing master keys toward their respective victims. These activities from the groups could have been due to the pressure that global enforcement organizations have been implementing. Nonetheless, the shutting down of some ransomware groups only means more space for new ones to arrive through the threat industry. Enforcement agencies are reported to be more watchful because of this possibility. 

About the author

Leave a Reply