On October 20, 2023, European Interpol announced that it had taken down the Ragnar Locker ransomware group in a coordinated international law enforcement action. The operation was conducted by Eurojust and Europol in conjunction with law enforcement officers from France, the United States, and Japan. The group’s Tor negotiation and data leak sites were taken down and replaced with a notice stating that the websites had been seized.
Arrest of key members
As part of the operation, a “key target” allegedly involved with the Ragnar Locker ransomware group was arrested in Paris on October 18. The report on Europa, an official news outlet of the EU, claims that the developer of the ransomware was also arrested. The arrests were made possible through international cooperation between law enforcement agencies.
The group is understood to have launched multiple attacks on critical infrastructure around the world. This includes a cyberattack against Capcom in 2020. From October 16th to 20th, criminal police conducted search operations in the Czech Republic, Spain, and Latvia.
The “main leader” of the malicious ransomware was arrested in Paris, France, on October 16. His home in the Czech Republic was also raided. Over the next few days, five suspects were questioned in Spain and Latvia. At the end of the week of action, the alleged ringleaders of the Ragnar Group developers were brought before the examining magistrate of the Paris Justice Court.
The ransomware infrastructure was also seized in the Netherlands, Germany, and Sweden. Also, the associated data leak website on Tor was shut down in Sweden.
Impact on the group
While the takedown of the group’s infrastructure is a huge blow, it may not be enough to completely dismantle the group. The group may be able to quickly set up other servers to replace those that were taken down. Also, the takedown of the group’s infrastructure could cause problems for organizations that have been impacted by a ransomware attack and have lost a method to negotiate with the group.
Ragnar Locker has been active since December 2019. It targets Windows operating system devices and usually uses exposed services such as the Remote Desktop Protocol to gain access to the system. The Ragnar Locker group employs a dual extortion strategy. It demands payment for decryption tools and a demand that the stolen sensitive data not be made public.
Previous attacks
Ragnar Locker has been tied to various attacks in the past. This includes attacks on the Mayanei Hayeshua Medical Center in Bnei Brak and TAP Air Portugal’s systems. The group is known for focusing on the energy sector.
Gizchina News of the week
Given Ragnar Locker’s propensity for attacking critical infrastructure, the group’s threat level is considered high. The group sternly warns all its victims not to contact law enforcement and threatens to publish all stolen data if that happens. In fact, victims are also warned not to seek help on its dark web “Wall of Shame” leak site.
The Ragnar Locker ransomware gang announced on its hidden website
“All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help”
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:
This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.
Previous arrests
In October 2021, officers from France and the US FBI, along with experts from Europol and INTERPOL, were dispatched to Ukraine. They conducted a joint probe with the Ukrainian National Police. The probe resulted in the arrest of two senior Ragnar Locker operators.
Since then, the probe has gone on, leading to the arrests and disruptions this week. Europol supported the probe from the very start, bringing together all of the nations concerned to develop a joint approach.
Its cybercrime experts conducted 15 coordination meetings and two week-long sprints to prepare for the current steps. This is in addition to offering analytical, malware, forensic, and crypto-tracing assistance. Europol formed a virtual command post last week to enable smooth cooperation among all entities involved.
The takedown of the Ragnar Locker ransomware group highlights the importance of international cooperation in combating cybercrime. The operation involved law enforcement officials from multiple countries working together to dismantle the group’s infrastructure and arrest key members.
Conclusion
Ragnar Locker started its operations at the end of 2019, making it unusually long-lived for a ransomware group. The group was known for focusing on the energy sector and had been tied to various attacks. This includes when it hit the Mayanei Hayeshua Medical Center in Bnei Brak just this past summer. The group also targeted TAP Air Portugal’s systems and claimed to have stolen data. In 2022, the FBI published a flash alert to warn that the Ragnar Locker ransomware gang had breached the networks of at least 52 organizations across 10 critical infrastructure sectors.
This takedown is a significant win for law enforcement. However, it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace them. Also, this could cause problems for people whose organizations have been impacted by a ransomware attack. This is because they will now have lost a method to negotiate with the bad actors. Nonetheless, this probe shows that international cooperation can help take down ransomware groups.
