The RagnarLocker ransomware’s infrastructure and the website the group used for shaming victims were taken down this week as part of a coordinated law enforcement effort. Active since 2020, RagnarLocker has been involved in numerous attacks, with at least 52 entities across 10 critical infrastructure sectors falling victims to this ransomware family, according to data from the Federal Bureau of Investigation (FBI).
See: https://redskyalliance.org/xindustry/ragnar-locker-ransomware
Unlike other ransomware operations, RagnarLocker was not promoted as Ransomware-as-a-Service (SaaS) but was operated by a private group that cooperated with other cybercriminals only when needed. On the infected machines, RagnarLocker would gather and exfiltrate system information, iterate through all drives, terminate services that could interfere with the encryption process, and then encrypt all files of interest, avoiding folders and files that might impede the systems operation.[1]
The same as other ransomware groups, the RagnarLocker cybergang would exfiltrate victims’ data to use it for extortion. In some cases, the group would only steal data for extortion, without deploying file-encrypting ransomware.
See: https://redskyalliance.org/xindustry/ragnar-locker-update
The cybergang then listed the alleged victims of its attacks on a Tor-hosted leak site, threatening to release it publicly unless a ransom was paid.
As of 18 October 2023, a message displayed in English on the RagnarLocker ransomware operation’s Tor-based website informs visitors that “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.” On 19 October 2023, Europol announced that the site and the ransomware group’s infrastructure had been shut down in a coordinated effort involving law enforcement agencies in the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, and the US.
On 16 October 2023, an individual suspected of being the developer for the Ragnar Locker group was arrested in Paris and searches were made at his home in the Czech Republic. Five other suspects were interviewed in Latvia and Spain. During 2023, law enforcement operations also led to the shutdown of other nefarious dark web site, including the Hive ransomware portal in January 2023, the Genesis Market cybercrime marketplace in April 2023, and the drugs marketplace Piilopuoti in September 2023.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/authorities-seize-control-of-ragnarlocker-ransomware-dark-web-site/
Comments