Ransomware, Malware

Authorities Disrupt Ragnar Locker Ransomware Gang

Abstract Malware Ransomware virus encrypted files with key on binary bit background.

Law enforcement and judicial authorities from 11 countries recently worked together to combat the Ragnar Locker ransomware group, according to Europol.

As part of a coordinated effort, authorities seized the ransomware's infrastructure in the Netherlands, Germany and Sweden, Europol noted. They also took down the Ragnar Locker ransomware group's Tor data leak website in Sweden.

Authorities Conduct 'International Sweep'

Between October 16-20, 2023, authorities completed searches in Czechia, Spain and Latvia as part of an "international sweep" targeting the Ragnar Locker ransomware gang, Europol indicated.

The primary target of the sweep was found and arrested on October 16, Europol said. Authorities also searched this target's home.

In the days that followed, five suspects were interviewed in Spain and Latvia, Europol stated. Since that time, the main perpetrator — who authorities believe may be the creator of the ransomware group — has been brought in front of examining magistrates of the Paris Judicial Court.

Previously, the French National Gendarmerie had been working with law enforcement authorities in Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States to investigate the Ragnar Locker ransomware group, Europol indicated. As part on this investigation, arrests were made in the Ukraine in October 2021.

What MSSPs Need to Know About the Ragnar Locker Ransomware and Group

Ragnar Locker has been active since December 2019, Europol noted. It is used to refer to both the ransomware strain and the group behind it.

Cybercriminals use Ragnar Locker ransomware to target devices running Microsoft Windows operating systems, Europol said. They typically exploit exposed services like Remote Desktop Protocol (RDP) to gain access to systems.

Furthermore, the Ragnar Locker group is known to use a double-extortion tactic during its attacks, Europol stated. Group members will demand ransom payments in exchange for access to decryption tools or non-release of stolen data.

Ragnar Locker Group to Victims: Don't Call the Cops

Generally, Ragnar Locker group members would warn victims about contacting law enforcement, Europol pointed out. They would threaten to publish victims' stolen data of on its dark web "Wall of Shame" leak site. "All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help," Ragnar Locker published on this site.

The European Union Agency for Criminal Justice (Eurojust) opened a case against the Ragnar Locker group in May 2021. From here, coordination meetings were held between the agency and authorities in countries that supported the case. This ultimately led to the coordinated effort between multiple countries that took place in October 2023.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.