National Security

Diabolical Ransomware Gang Calls It Quits

Avengers Disassemble

A flurry of ransomware gangs have been slinking away from public view in recent weeks. Now they’re doling out antidotes to their attacks as they surrender.

210827-Vavra-ragnarock-tease_gcjqgn
Photo Illustration by The Daily Beast / Photos Getty

Just as in the Marvel Universe, a ransomware group that goes by the name “Ragnarok” caused catastrophic harm and ended in a snap.

Ragnarok, a hacking gang that’s locked victims out of their computers and extorted them since 2019, suddenly appears to have called it quits. The group shared a free tool Thursday that will help previous victims unlock their files and gain access to their computers again, according to security researchers.

It’s not clear why Ragnarok is abandoning its pilfering ways. But the apparent decision to self-destruct is a move that other ransomware gangs have been adopting as well. Ragnarok is the fifth ransomware operator that’s appeared to backtrack on its previous grift following increased international attention to ransomware hacking. Ziggy ransomware hackers, as well as Avaddon, SynAck, and Fonix hacking groups have all also retreated from their ransomware hacking this year, each giving up their keys and neutralizing their attacks.

ADVERTISEMENT

The uptick in hackers backing down in recent months is somewhat unorthodox, according to Brett Callow, an analyst at Emsisoft, which helps ransomware victims recover from ransomware attacks.

“While it’s not unprecedented for gangs to do this, it’s certainly unusual for so many to have done it, and I suspect the exits are due to increased attention from law enforcement,” Callow told The Daily Beast. “Put simply, they got cold feet.”

In its statement about its withdrawal, Ziggy explicitly declared that their intention in backing down was to avoid law enforcement crackdowns and repercussions, according to an earlier interview with Bleeping Computer.

Other ransomware gangs in recent weeks have been working to avoid the watchful eye of law enforcement and world powers as well—several gangs that drew the attention of President Joe Biden following their attacks that led to shutdowns at Colonial Pipeline, a massive fuel supplier across the East Coast, and meat supplier JBS, have gone dark. REvil, the gang behind the JBS attack, has since mysteriously disappeared from the internet. And DarkSide, the gang behind the Colonial Pipeline incident, also announced it was backing down and retiring.

Even those operating in underground criminal communities have started treating ransomware hackers like pariahs. Popular Russian language cybercriminal forum administrators have announced in recent weeks that ransomware gangs would be barred from posting and coordinating their hacking schemes, following increased law enforcement attention.

In the meantime, hackers have found workarounds. In response to the heightened legal attention, ransomware gangs have resorted to using code words on cybercriminal forums to avoid getting booted, security researchers recently told The Daily Beast.

Of course, cybercriminals’ statements that they’re “retiring” are not always serious. In recent days the two gangs behind the JBS and Colonial Pipeline hacks—although they appeared to call it quits—have fused their operations together in a new gang.

The COVID-19 pandemic has harmed people and economies around the world… The disruption and dislocation of the Ragnarok ransomware group is welcomed.
Neil Walsh, the United Nations’ chief of the cybercrime and anti-money laundering department, at the UN’s Office on Drugs and Crime

Neil Walsh, the United Nations’ chief of the cybercrime and anti-money laundering department, at the U.N.’s Office on Drugs and Crime, told The Daily Beast he was glad to see Ragnarok go for now.

“The COVID-19 pandemic has harmed people and economies around the world… The disruption and dislocation of the Ragnarok ransomware group is welcomed,” Walsh said.

For Ragnarok, the motivation behind its apparent U-turn isn’t so clear at the moment, leaving a quagmire for security analysts to unwind in the coming days. But one thing is clear—just because Ragnarok is gone for now, it doesn’t mean ransomware is over.

Raj Samani, a chief scientist at security firm McAfee, told The Daily Beast that it was difficult to ascertain “what the conclusion about the decision is since the motivation [is] unclear for now.”

“Broadly speaking it is positive that there is one less ransomware group to contend with, [but] it is imperative to not lose sight of the fact that there are many other threat groups out there causing damage across the globe,” said Samani, who is the founder of No More Ransom, an organization that maintains a repository of keys and applications that can apply to different kinds of ransomware should victims need.

Ransomware hacking has continued steadily despite the apparent global recoil. Even as the coronavirus pandemic has raged on with new surges around the world, ransomware gangs have been targeting hospitals, causing one hospital in Indiana to divert ambulances.

Just this week Boston Public Library was hit in a ransomware attack, according to The Boston Globe. (Boston Public Library declined to confirm if it was hit with a ransomware attack when reached for comment.)

Walsh urged that victims looking to recover from Ragnarok attacks consult with Europol, the European Union’s law enforcement agency, and No More Ransom.

Europol did not immediately return a request for comment.

Got a tip? Send it to The Daily Beast here.