Ragnar Locker Ransomware Gang Taken Down By Major International Police Operation Against Cybercriminals
Law enforcement and judicial authorities from eleven countries delivered a major blow to one of the most dangerous ransomware operations of recent years.
What is Ragnar Locker Ransomware
Ragnar Locker Ransomware is a type of malware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. The ransomware is typically spread through phishing emails or malicious websites. Once a victim’s computer is infected, Ragnar Locker will encrypt all of their files, making them inaccessible. The ransomware will then display a ransom note demanding payment in Bitcoin or another cryptocurrency.
Ragnar Locker Ransomware is a particularly dangerous type of malware because it is able to encrypt a wide variety of file types. This makes it difficult for victims to recover their files without paying the ransom. In addition, Ragnar Locker is known for targeting large organizations, such as businesses and government agencies. This makes it a significant threat to critical infrastructure.
The Ragnar Locker Ransomware Shutdown
The coordinated action at an international level by Europol and Eurojust targeted the Ragnar Locker ransomware group. The group was responsible for numerous high-profile attacks against critical infrastructure across the world.
In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia.
The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.
The ransomware’s infrastructure was also seized in the Netherlands, Germany, and Sweden and the associated data leak website on Tor was taken down in Sweden.
This international raid follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States of America.
In the framework of this investigation, a first round of arrests was carried out in Ukraine in October 2021 with Europol’s support.
What kind of Malware is Ragnar Locker?
Active since December 2019, Ragnar Locker is the name of a ransomware strain and of the criminal group that developed and operated it.
This malicious actor made a name for itself by attacking critical infrastructure across the world, having most recently claimed the attacks against the Portuguese national carrier and a hospital in Israel.
This strain of ransomware targeted devices running Microsoft Windows operating systems and would typically exploit exposed services like Remote Desktop Protocol to gain access to the system.
The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen.
The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure.
Don’t Call the Cops
Ragnar Locker explicitly warned their victims against contacting law enforcement, threatening to publish all the stolen data of victimized organizations seeking help on its dark web ‘Wall of Shame’ leak site.
“All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help”, the Ragnar Locker ransomware gang announced on its hidden website.
Little did they know that law enforcement was closing in on them.
Back in October 2021, investigators from the French Gendarmerie and the US FBI, together with specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, leading to the arrest of two prominent Ragnar Locker operators.
The investigation continued ever since, leading to the arrests and disruption actions this week. Europol’s European Cybercrime Centre Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy.
Its cybercrime specialists organized 15 coordination meetings and two week-long sprints to prepare for the latest actions, alongside providing analytical, malware, forensic, and crypto-tracing support. A virtual command post was set up this week by Europol to ensure seamless coordination between all the authorities involved.
The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries that supported the investigation. Eurojust set up a coordination center during the action week to enable rapid cooperation between the judicial authorities involved.
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:
“This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.”
Close cooperation between the involved law enforcement authorities was also supported by Europol’s Joint Cybercrime Action Taskforce (J-CAT), composed of cybercrime liaison officers posted to Europol’s headquarters.
The Following Agencies took part in the Investigation:
- Czechia: National Counter-Terrorism, Extremism and Cybercrime Agency of Police of the Czech Republic
- France: National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale – C3N)
- Germany: State Criminal Police Office Sachsen (Landeskriminalamt Sachsen), Federal Criminal Police Office (Bundeskriminalamt)
- Italy: State Police (Polizia di Stato), Postal and Communication Police (Polizia Postale e delle Comunicazioni)
- Japan: National Police Agency (NPA)
- Latvia: State Police (Latvijas Valsts Policija)
- Netherlands: Police of East Netherlands (Politie Oost-Nederland)
- Spain: Civil Guard (Guardia Civil)
- Sweden: Swedish Cybercrime Centre (SC3)
- Ukraine: Cyberpolice Department of the the National Police of Ukraine (Національна поліція України)
- United States: Atlanta Field Office of the Federal Bureau of Investigation
The investigation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).