Ragnarok is a ransomware group that emerged in March 2021 with primarily financial motivations, conducting targeted attacks against commercial facilities. The group's origin and potential state affiliations remain largely undocumented in public threat intelligence reporting, and there is limited information available regarding whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on available data, Ragnarok has been linked to at least three confirmed victims, with their attack methodology and specific technical capabilities not extensively documented in public security research from major threat intelligence firms. The group appears to have specifically focused their targeting efforts on commercial facilities sectors, though the scope and scale of their operations remain relatively small compared to more prominent ransomware operations. Current public reporting does not provide sufficient detail regarding notable high-profile campaigns, significant ransom demands, or law enforcement actions specifically targeting this group. The current operational status of Ragnarok remains unclear based on available public threat intelligence, with limited recent reporting on their activities since their initial emergence in 2021. The group has been linked to 3 public disclosures across our corpus. First observed on a leak site on March 31, 2021; most recent post December 30, 2021. The operation is currently inactive.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
