[MART] - Daily Diary #336 - Ragnarok Ransomware Shuts Down Its Operation

CTAS-MAT ctas-mat at appgate.com
Fri Aug 27 20:16:01 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

08/27/2021 - Diary entry #336

Active since 2020, Ragnarok Ransomware was one of the many ransomware gangs operating using the double-extortion model, stealing data before encrypting it and threatening to publish in their deep-web wall-of-shame site if the ransom is not paid.

Ragnarok Ransomware was also monitored by our Ransom Tracker, covered in many of our Daily Diaries. Yesterday, August 25th, Ragnarok decided to shut down its operation. The group published in their wall of shame a universal decryptor for .thor files, the custom extension appended by the malware for every file it manages to encrypt in the affected system. According to our ransom tracker, at least 12 companies were affected by Ragnarok Ransomware and had their name published on the wall-of-shame. It's important to notice that affected companies that paid the ransom much likely would not be on the wall-of-shame, so the actual target list can be much greater.

It's not clear yet the exact reason why Ragnarok decided to shut down its operations, but it can be related to the recent international efforts into fighting ransomware. Those groups are being forced to hide, and it's getting harder for them to even advertise their malware in cyber-crime forums. We want to take this opportunity to reinforce the need to never pay the ransom. We understand some companies can be put in a very delicate situation when targeted ransomware attacks, but only when those groups stop getting profit those attacks will stop.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210827/71c7d6ba/attachment.htm>

More information about the MART mailing list