The RagnarLocker ransomware’s infrastructure and the website the group used for shaming victims were taken down this week as part of a coordinated law enforcement effort.
Active since 2020, RagnarLocker has been involved in numerous attacks, with at least 52 entities across 10 critical infrastructure sectors falling victims to this ransomware family, according to data from the Federal Bureau of Investigation (FBI).
Unlike other ransomware operations, RagnarLocker was not promoted as ransomware-as-a-service, but was operated by a private group that cooperated with other cybercriminals only when needed.
On the infected machines, RagnarLocker would gather and exfiltrate system information, iterate through all drives, terminate services that could interfere with the encryption process, and then encrypt all files of interest, avoiding folders and files that might impede the systems operation.
The same as other ransomware groups, the RagnarLocker cybergang would exfiltrate victims’ data to use it for extortion. In some cases, the group would only steal data for extortion, without deploying file-encrypting ransomware.
The cybergang then listed the alleged victims of its attacks on a Tor-hosted leak site, threatening to release it publicly unless a ransom was paid.
Starting Thursday, a message displayed in English on the RagnarLocker ransomware operation’s Tor-based website informs visitors that “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”
On Friday, Europol announced that the site and the ransomware group’s infrastructure had been shut down in a coordinated effort involving law enforcement agencies in the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, and the US.
On October 16, an individual suspected of being the developer for the Ragnar Locker group was arrested in Paris and searches were made at his home in the Czech Republic. Five other suspects were interviewed in Latvia and Spain.
This year, law enforcement operations also led to the shutdown of other nefarious dark web site, including the Hive ransomware portal in January, the Genesis Market cybercrime marketplace in April, and the drugs marketplace Piilopuoti in September.
*updated with additional information from Europol