Home / About / Threat Intelligence / Ransomware Group Updates

Overview

The Ragnarok ransomware group have shut down and released their master key.
Victims of the group will now be able to recover their files.

Meanwhile, Palo Alto’s threat research team have released info on 4 groups they say have the potential to become more prevalent in the future: `AvosLocker`, `Hive`, `HelloKitty` and `LockBit`.

Impact

Ragnarok attracted attention earlier in the year for targeting Citrix ADC gateways and this will be welcome news to their victims.

Indicators of Compromise

Domains
decoding[.]at
bigblog[.]at

AvosLocker
43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856
fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f

Hive Ransomware
A0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff
Fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

Hello Kitty (Linux)
16a0054a277d8c26beb97850ac3e86dd0736ae6661db912b8782b4eb08cfd36e
556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed
9f82f22c137688d0b3e7912d415605d2bbc56478311fd0b3dc265f8d0006aa8c
8f3db63f70fad912a3d5994e80ad9a6d1db6c38d119b38bc04890dfba4c4a2b2
bedf30bbcefc54bc48432674255856f47c0ba2ec46e913d078a53e66ac9dcff8
Ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041
b4f90cff1e3900a3906c3b74f307498760462d719c31d008fc01937f5400fb85

Lockbit 2.0
F32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202
4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a
F3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae
Ea028ec3efaab9a3ce49379fef714bef0b120661dcbb55fcfab5c4f720598477
Bcdb59232137e570d4afb3c635f8df19ceb03e3f57fe558f4fc69a0be778c6ab
4efcd774d9d224137c5840e9a2d0f9e56c976e8e7a49158e3c15135dd9fbae9c
00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8
E32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82
16a707a3965ebd71ebc831b68863b855b2c8d60aef8efdef1e0c0a6cc28e9bc7
Bc0b54c19949f407da972f0bedf7f429c0fe25181564d1fb6d053b989925898f
Acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c
0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049
Bcbb1e388759eea5c1fbb4f35c29b6f66f3f4ca4c715bab35c8fc56dcf3fa621
717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474
73406e0e7882addf0f810d3bc0e386fd5fd2dd441c895095f4125bb236ae7345
90af3848d5a0c5eb9c6ddc1ee2e6c539dd6cb5ec5a433d00a6dae22fb221c446
4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd
21879b5a8a84c5fe5e009c85744caf74b817c57203020bf919037d7ccb6b6a58
56fd91787c641c2329a86813497d0e6ff219c81a4d61ac10fedef9cd68c3baed
9dd6cc25b2f920b825e15682a4d06435a42b281674ba6e99c8e2b2222c9d638f
23984141a918be3345296bb6bf50d8d356229cb832c726833499fbb950037d00
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739
Ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f
E3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
Ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869

Threat Landscape

New ransomware gangs pop up and old ones disappear or rebrand quite often.
Ragnarok is the third group this year to shut down and release a decryption key this year after `Avaddon` and `SynAck`.

Mitre Methodologies

T1486 – Data Encrypted for Impact

Further Information.

Ragnarok – malpedia 
Ransomware Groups to Watch: Emerging Threats