Authorities from the United States and multiple European countries have disrupted the operations of the pernicious Ragnar Locker ransomware group, which has been known for attacking critical infrastructure operators and other high-value targets.
The joint operation involved the FBI, Europol, and agencies from Germany, Italy, France, the Netherlands, Ukraine, and other countries, and the authorities were able to seize the infrastructure used by the Ragnar Locker group in the Netherlands, Germany, and Sweden, and take down the site it maintains on the Tor network. Authorities in France arrested one suspected developer of the ransomware, and police in Ukraine, Spain, the Czech Republic, and Latvia also searched the homes of other suspects, seizing devices and data.
Ragnar Locker began in 2019 and really emerged in 2020 in the early days of the pandemic and quickly became known for specifically targeting critical infrastructure operators. The FBI has identified several dozen separate CI entities that were compromised by Ragnar Locker actors and the group also has attacked hospitals and other sensitive targets. The group is one of many that uses the double-extortion tactic, demanding payments for decryption keys as well as for not releasing sensitive data stolen from victim organizations. Although Ragnar Locker is by no means the largest or most prolific ransomware group on the scene, its proclivity for targeting CI entities and other sensitive organizations made it a prime target for law enforcement.
Like many other ransomware gangs, the Ragnar group included members with specific responsibilities, such as software development, initial access, and reconnaissance.
“The organizers clearly divided the responsibilities between the group members. Individual members were responsible for gathering information and finding vulnerabilities in the victims' cybersecurity architecture. They transferred the collected information to accomplices with computer programming skills. The latter were responsible for creating and modifying malicious software in order to further damage a specific company,” the Ukrainian Cyber Police said.
“I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.”
Researchers at SentinelOne recently identified some similarities between the Ragnar Locker Linux ransomware and a variant deployed by the newer Dark Angels group.
“In addition to using similar tooling, Dark Angels has continued Ragnar Locker’s penchant for targeting organizations in the critical manufacturing sector. Given the slowdown in Ragnar Locker activity through 2023 and the increase in Dark Angels activity, it’s plausible the takedown’s effects will be muted,” Jim Walter and Alex Delemotte of SentinelOne said.
The Ragnar Locker takedown this week is the result of an operation that began a year ago in which law enforcement agencies from the U.S. and France went to Ukraine to investigate some incidents. That led to the arrest of two suspected Ragnar group members, and kicked off the broader investigation.
“This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims,” said Edvardas Šileris, the head of Europol’s European Cybercrime Center. “I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.”
Jeremy Kennelly, Mandiant’s senior principal analyst for Financial Crime Analysis with Google Cloud, said that the Ragnar Locker takedown, arrest, and associated seizures are "a huge win for law enforcement in continuing efforts to combat the international proliferation of ransomware.”
“Although Ragnarlocker wasn't the largest player in the ransomware ecosystem and this won't directly lead to a major change in the prevalence of ransomware extortion, each law enforcement action targeting criminals engaged in these schemes increases the perceived risks for all individuals involved in the ecosystem and also serves to degrade the bonds of trust across the criminal community,” said Kennelly.