The Ragnarok ransomware gang closed shop on Thursday evening, shuttering its leak website and releasing a decryptor for remaining victims on its file leaking site used as part of the extortion scheme.
The decryptor works, said Allan Liska, intelligence analyst and ransomware expert at Recorded Future, but like many other criminal-written decryption tools stands to be made more efficient. A clean version of the tool is available from security group Emsisoft.
Ragnarok is the latest of several ransomware groups to take early retirement this year. Some that closed shop due to too much attention from authorities have rebranded (DarkSide, famous for the Colonial Pipeline attack, became BlackMatter, for example). Others, noted Liska, have realized that participating in other aspects of the ransomware economy carries less risk than being the brand-name associated with an attack.
"Among ransomware groups were especially the second and third tier, players are finding that it's just easier to be an affiliate, than it is to try and run a whole brand," said Liska. "In security, we still collectively think of ransomware groups as one group, even though we very much know it's not. And so we describe Conti ransomware, when we know it's really 30 different affiliates doing the work. But that brings all the attention on the group who's making the ransomware."
"Who wants to go next? How about you, LockBit?" tweeted Emsisoft.
Though several large actors have folded their affiliate operations, the instillation of ransomware has not declined, noted Liska. New, smaller contenders have emerged from the wreckage to fill some of the void, and other ransomware as a service options that already existed are still in play.
"it's basically Whack a Mole, where somebody else fills in the gap," said Liska.