(21/10/23) Blog 294 – Ragnar_Locker taken down by law agencies across the world

This week saw a combined effort from law enforcement and judicial authorities from eleven countries deliver a major blow to one of the most dangerous ransomware operations of recent years.

The Ragnar_Locker ransomware gang had been active since late 2019 targeting multiple companies across the world.

Coordinated by the French National Gendarmerie, the Ragnar_Locker groups infrastructure was seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was also taken down in Sweden. In total, nine servers were taken down.

The complex investigation was led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America. 

The “key target” of the gang was arrested in Paris, France, on 16^th October, and his home in Czechia was searched.

The Europol activity started with the arrest in September of two Ukrainian ransomware operators which saw 7 different properties searched, the seizure of US$ 375,000 in cash, $1.3M in cryptocurrency, and the seizure of two luxury vehicles worth $217,000.

The FBI issued a Flash notice in 2022 relating to Ragnar_Locker which stated that “As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors”.

The Flash notice identified some of the Tactics, Techniques, and procedures (TTP’s )used by the gang to allow companies to check their infrastructure for signs of compromise, and how to defend against possible attack.

Who were Ragnar_Locker?

Ragnar_Locker started its activity towards the latter end of 2019, and enjoyed a fairly successful career. Victims were spread across multiple industry sectors, and countries. Some of the victims included  Energias de Portugal (EDP), the Greek gas operator DESFA, the Zwijndrecht police force, Campari, and Capcom.