Euro Security Watch with Mathew J. Schwartz

Is the Ragnar Locker Ransomware Group Headed for Oblivion?

International Law Enforcement Operation Seizes Infrastructure, Disrupts Operation
Is the Ragnar Locker Ransomware Group Headed for Oblivion?
Image: Ragnar Locker's currently inaccessible "Wall of Shame" data leak site

The data leak and negotiation sites for the Ragnar Locker ransomware group went offline Thursday after an international law enforcement operation seized its infrastructure.

Law enforcement agencies participating in the crackdown include the FBI, as well as authorities in France, Germany, Italy, Spain and the Netherlands, backed by Europol's European Cybercrime Center as well as the EU Agency for Criminal Justice Cooperation.

A spokeswoman for Europol told Information Security Media Group that the EU law enforcement agency "is part of an ongoing action against this ransomware group" and that more information would be forthcoming "when all actions have been finalized," potentially on Friday afternoon. News of the takedown was first reported by Bleeping Computer.

Ragnar Locker's Tor-based data-leak site resolves to this takedown notice, as displayed on Oct. 19, 2023. (Image: Information Security Media Group)

It's been a busy week for disrupting ransomware operations. On Wednesday, pro-Ukrainian hackers claimed responsibility for wiping the servers of the recently formed Trigona ransomware gang.

Ragnar Locker appears to have remained active until its takedown. The group behind the ransomware is known for crypto-locking Windows and Linux systems as well as practicing double extortion, meaning it steals data and threatens to leak it in order to pressure victims into paying. The group regularly demands ransoms of $10 million or more, although how many victims pay a ransom - or the final amount they negotiate attackers down to - remains unclear.

Security experts say the group executes its own attacks or works closely with a handful of trusted partners rather than running a ransomware-as-a-service operation and leasing its malware to affiliates in exchange for a cut of every ransom paid.

Long-Running Operation

First appearing in December 2019 as a possible Maze or MountLocker spinoff or partner, Russian-speaking Ragnar Locker had become one of the longest-running ransomware operations, albeit one often classified as operating in the midlevel tier, as compared to high fliers such as REvil/Sodinokibi, DarkSide, Conti, DopplePaymer, Ryuk, Royal, Alphv/BlackCat and LockBit. Then again, many of those operations are no longer in existence, or at least their members are working with other operations or rebranded groups.

In its earlier days, Ragnar Locker made a name for itself by amassing high-profile victims such as energy firm Energias de Portugal, Japanese gaming firm Capcom, aircraft maker Dassault Falcon and Italian liquor-making giant Campari. With the latter, the group displayed its penchant for provocation by hacking into an unaffiliated third-party organization's social media account to lambaste Campari for opting to not pay the ransom it demanded.

The attackers continued to refine their shakedown strategies, including a memorable turn in 2021 when they threatened to immediately leak stolen data for any victim who even thought about attempting to work with law enforcement or hire ransomware response or negotiation experts.

"If you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately," the group told victims in its ransom note. Experts said the attempt to steer victims away from getting help highlighted just how useful police and expert assistance continues to be for victims (see: Ragnar Locker: 'Talk to Cops or Feds and We Leak Your Data').

Ragnar Locker was also one of a number of groups that collaborated with the notorious Conti group, which shut down in May 2022 after launching multiple spinoffs.

Critical Infrastructure Hits

In March 2022, the FBI warned that Ragnar Locker appeared to be actively targeting critical infrastructure sectors, having amassed at least 52 U.S. victim organizations across 10 critical infrastructure sectors.

Other victims of the group that came to light last year included a Greek gas operator, a primary healthcare system in Italy, Portugal's national airline and the Belgium city of Antwerp. The group's targeting of critical infrastructure sectors has continued. Last month, Ragnar Locker leaked data stolen from an Israeli hospital.

More recently, cybersecurity researcher MalwareHunterTeam told Bleeping Computer that last month's attack against Johnson Controls involved the Linux encryptor used by Ragnar Locker since 2021, although a new ransomware operation calling itself DarkAngels took responsibility for the attack. Whether DarkAngels is a potential partner, offshoot or rebrand of Ragnar Locker isn't clear.

Long-Term Impact: Unclear

Whether this week's disruption of Ragnar Locker spells the end of the group remains unclear. Law enforcement has previously disrupted multiple ransomware groups only to see them resurface one or more times after members of the group rebuilt their infrastructure. Examples include REvil, aka Sodinokibi (see: Who's Behind Attempt to Reboot REvil Ransomware Operation?).

In some cases, police appear to have infiltrated operations before their takedown, or at least to have seized or copied critical infrastructure. Whoever attempted to restart REvil's dark web data leak site and payment portal in October 2021 tried to restore a previously used .onion site, reusing a private key. But someone - likely law enforcement - kiboshed those efforts, seemingly because they also possessed the private key (see: REvil's Cybercrime Reputation in Tatters - Will It Reboot?).

This is the second time this year authorities have disrupted a major ransomware operation, following the January takedown of Hive ransomware spearheaded by Dutch, German and U.S. law enforcement agencies. The FBI said Hive had unleashed crypto-locking malware inside 1,500 organizations and received over $100 million in known ransom payments. The Hive operation appears to remain defunct (see: Co-Working for the Ransomware Age: How Hive Thrived).

One repeat challenge for Western law enforcement is that many ransomware operators and their affiliates are based in Russia, which never extradites its citizens to face charges abroad. Hence while their infrastructure might get disrupted, so long as these ransomware practitioners remain at large, they can restart their operations.

Update Oct. 20, 2023, 08:31 UTC: Adds Europol statement.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.