Ragnarok, a ransomware gang operational since 2019 that gained notoriety after launching attacks against unpatched Citrix ADC servers, has shut down and released a free decryption key for its victims.
The gang, sometimes referred to as Asnarok, last week replaced all 12 of the victims listed on its dark web portal with a short instruction on how to decrypt files. This was accompanied by the release of a decryptor, which experts at Emsisoft confirmed contains the master decryption key. The security firm, known for assisting ransomware victims with data decryption, has also released a universal decryptor for Ragnarok ransomware.
Ragnarok is best known for using the Ragnar Locker ransomware to target IT networks. It claimed dozens of victims after exploiting a Citrix ADC vulnerability to search for Windows computers that are vulnerable to the EternalBlue vulnerability — the same vulnerability behind the now-notorious WannaCry attack — and has racked up more than $4.5 million in ransom payments, according to the Ransomwhe.re payments tracker.
In April 2020, the cybercriminals stole 10 terabytes of data belonging to Portuguese energy giant EDP and threatened to leak it if a ransom of $10.9 million was not paid. The gang went on to exfiltrate up to 2TB of data, including bank statements, employee records and celebrity agreements, from the servers of Italian liquor giant Campari Group, and demanded it hand over $15 million in ransom.
And in November, the short-lived ransomware gang also targeted Capcom, the Japanese video games giant behind titles such as Street Fighter, Resident Evil and Devil May Cry. The gang reportedly stole the personal data of 390,000 customers, business partners and other external parties from Capcom’s systems.
News of the shutdown was first reported by Bleeping Computer.
With no formal departure note, it’s not clear why Ragnarok has seemingly decided to call it quits. But other ransomware gangs have adopted a similar self-destruction tactic in the face of increasing pressure from the U.S. government, which earlier this year branded ransomware as a national security threat; REvil, the gang behind the JBS attack, mysteriously disappeared from the internet, and DarkSide, the gang behind the Colonial Pipeline incident, also announced it was retiring.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Other ransomware gangs, including Ziggy Avaddon, SynAck and Fonix, have also all retired from hacking this year, each giving up their keys to help victims recover from their attacks.
Of course, it remains to be seen whether Ragnarok’s disappearance is permanent, or whether it will simply rebrand; the infamous DoppelPayment ransomware gang recently reappeared as Grief Ransomware after months of no activity.
“Even though I am sure is only temporary, it is nice to see another win,” tweeted Allan Liska, from Recorded Future’s Computer Security Incident Response Team.
Ransomware recovery can be costly, and not just because of the ransom
