Connect with us

Hi, what are you looking for?



Authorities Shut Down RagnarLocker Ransomware Infrastructure

The RagnarLocker ransomware group’s dark web leak site has been seized in a coordinated law enforcement operation.

The RagnarLocker ransomware’s infrastructure and the website the group used for shaming victims were taken down this week as part of a coordinated law enforcement effort.

Active since 2020, RagnarLocker has been involved in numerous attacks, with at least 52 entities across 10 critical infrastructure sectors falling victims to this ransomware family, according to data from the Federal Bureau of Investigation (FBI).

Unlike other ransomware operations, RagnarLocker was not promoted as ransomware-as-a-service, but was operated by a private group that cooperated with other cybercriminals only when needed.

On the infected machines, RagnarLocker would gather and exfiltrate system information, iterate through all drives, terminate services that could interfere with the encryption process, and then encrypt all files of interest, avoiding folders and files that might impede the systems operation.

The same as other ransomware groups, the RagnarLocker cybergang would exfiltrate victims’ data to use it for extortion. In some cases, the group would only steal data for extortion, without deploying file-encrypting ransomware.

The cybergang then listed the alleged victims of its attacks on a Tor-hosted leak site, threatening to release it publicly unless a ransom was paid.

Starting Thursday, a message displayed in English on the RagnarLocker ransomware operation’s Tor-based website informs visitors that “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”

On Friday, Europol announced that the site and the ransomware group’s infrastructure had been shut down in a coordinated effort involving law enforcement agencies in the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, and the US.

Advertisement. Scroll to continue reading.

On October 16, an individual suspected of being the developer for the Ragnar Locker group was arrested in Paris and searches were made at his home in the Czech Republic. Five other suspects were interviewed in Latvia and Spain.

This year, law enforcement operations also led to the shutdown of other nefarious dark web site, including the Hive ransomware portal in January, the Genesis Market cybercrime marketplace in April, and the drugs marketplace Piilopuoti in September.

*updated with additional information from Europol

Related: Deep Dive Into Ragnar Locker Ransomware Targeting Critical Industries

Related: Law Enforcement Blowback Powering Anti-Ransomware Success

Related: Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement

Related: Feedback Friday: Industry Reactions to Hive Ransomware Takedown

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...