The Ragnar Locker ransomware gang used Facebook ads to extort and terrorize victims, including hospitals.
In a significant international operation, law enforcement agencies from eleven countries have successfully dismantled the notorious Ragnar Locker ransomware group. This joint effort, led by Europol and Eurojust, dealt a major blow to a cybercriminal organization responsible for a series of high-profile attacks on critical infrastructure worldwide.
The operation, conducted from October 16th to 20th 2023, involved coordinated searches in Czechia, Spain, and Latvia. The “key suspect” linked to the malicious ransomware strain was apprehended in Paris, France, on October 16, 2023.
Subsequent interviews were conducted with five suspects in Spain and Latvia. At the conclusion of the operation, the alleged mastermind behind the Ragnar group was presented before the examining magistrates of the Paris Judicial Court.
Law enforcement agencies also seized the ransomware’s infrastructure in the Netherlands, Germany, and Sweden, and took down the associated data leak website on Tor in Sweden.
The investigation, according to Europol’s press release, leading to this international operation was a collaborative effort involving the French National Gendarmerie, as well as authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States. The initial arrests in Ukraine, with support from Europol, occurred in October 2021 as part of this complex investigation.
Ragnar Locker, both the ransomware strain and the criminal group behind it, has been active since December 2019. The group gained fame for targeting critical infrastructure worldwide, including recent attacks on the Portuguese national carrier and an Israeli hospital.
Among the infamous Ragnar Locker ransomware gang’s victims were well-known Japanese video gaming firm Capcom and Energias de Portugal (EDP), a Portuguese electric company and energy giant. This ransomware specifically targeted Windows devices and often exploited vulnerabilities such as Remote Desktop Protocol for unauthorized access.
Ragnar Locker was known for employing a double extortion tactic, demanding large payments for decryption tools and threatening to release stolen sensitive data. Its focus on critical infrastructure made it a high-level threat.
The group warned victims against contacting law enforcement, threatening to publish stolen data on its dark web ‘Wall of Shame’ leak site. It is worth noting that this is the same gang that used Facebook ads to extort victims.
However, law enforcement agencies, including the French Gendarmerie and the US FBI, cooperated with Europol and INTERPOL, leading to the arrest of two prominent Ragnar Locker operators in Ukraine in October 2021. The investigation continued, resulting in the recent arrests and disruption actions.
The Ragnar Locker ransomware gang is just another cybercriminal enterprise to bite the dust. Authorities have successfully seized domains or dismantled the infrastructure of several ransomware groups, including Netwalker, Cl0P, DarkSide, REvil, and Egregor.
- Ransomware gang behind attacks on 100+ companies busted
- Domain, server of DoubleVPN used by ransomware gangs seized
- Alleged Ukrainian Member of REvil Ransomware Gang Extradited to US
- WT1SHOP Cybercrime Market Seized by US and Portuguese Authorities
- E-Root Marketplace Admin Extradited to US on Computer Fraud Charge