An international law enforcement action coordinated by European Interpol and officials of foreign law enforcement agencies led to the removal of the Ragnar Locker ransomware group on October 20, 2023. Various law enforcement agencies including the French, American, and Japanese law enforcement agencies were involved in the operation, which was conducted by Eurojust and Europol jointly. A notice stating that the group had seized the websites was posted on the group's Tor negotiation and data leak websites indicating that the websites had been taken down.
As part of a joint international operation, law enforcement agencies arrested a malware developer linked to the Ragnar Locker ransomware gang and seized their dark websites that were previously used to distribute the malware. 168 international companies are believed to have been hit by attacks by the Ragnar Locker ransomware gang since 2020, and throughout that time, they have made over $1 million in profits.
In a related operation, which was conducted on October 18 and 19 in Paris, a "key target" said to have been involved in the Ragnar Locker ransomware group was arrested as part of this operation. A report on one of the EU's official news outlets, Europa, claims that the developer of the ransomware has also been arrested, in addition to the victim of the ransomware. Law enforcement agencies from around the world have collaborated to make these arrests possible.
There was an arrest in Paris, France, on October 16, of the "main leader" of the malicious ransomware that was circulating on the Internet. It was also reported that his home in the Czech Republic had been raided by the police.
It was found that the alleged leaders of the Ragnar Group developers were brought before the examining magistrate of the Paris Justice Court at the end of a weeklong action.
It also turned out that the ransomware infrastructure had been confiscated in the Netherlands, Germany, and Sweden. The data leak website associated with the ransomware had also been taken offline in Sweden as well.
The Ragnar Locker ransomware group was one of the first big game-hunting ransomware groups to steal data in addition to encrypting files and threatening victims with ransom. The Ragnar Locker ransomware operation was not a ransomware-as-a-service (RaaS) operation, but rather an operation in collaboration with external penetration testers to gain first access to victims' networks, as opposed to many other ransomware groups.
There was an announcement on Friday that at least one arrest had been made after the dark website was seized on Thursday, with at least one arrest being reported on Friday. As a result of the seized negotiation site now being seized by law enforcement, ransomware victims will now receive a message indicating that they are being assisted by law enforcement, even though no assistance has yet been provided for them.
There was news that a 35-year-old Czech national who was arrested in France on October 16 under suspicion of being the group leader had been detained, and police in his country had searched his residence on suspicion of protecting his activities.
According to Ukrainian authorities, there was a search of a suspect's home in Kyiv and several devices and electronic media were taken from the residence of the suspect. The name of the suspect has not yet been released publicly.
In late 2019, Ragnar Locker began operating as an affiliate of Maze or MountLocker. The company has been operating since then. There was no doubt that this group was one of the biggest groups in terms of attack volumes or money collected, but it was a significant threat and several critical infrastructure entities in several countries were penetrated by the group as a major threat, making it a priority for law enforcement.
A central theme that emerges from the groups that are targeted by these major law enforcement campaigns is their tendency to become overly audacious in their attacks on sensitive critical infrastructure, such as power grids, water supply systems, and hospitals. While Ragnar Locker gained notoriety for its high-profile attacks on gaming company Capcom and liquor giant Campari, it is the attacks on entities like Energias de Portugal that truly propelled it up the priority ladder.
A flash warning issued by the FBI in early 2022 revealed that Ragnar Locker had already breached the defences of 52 critical infrastructure companies across 10 different sectors in the United States up until that point in time. This alarming revelation highlights the scale and impact of Ragnar Locker's activities.
This investigation was conducted by agents from the US FBI and the French Secret Service, along with representatives of Europol and INTERPOL. As a result of this investigation, two senior Ragnar Locker operatives were arrested, along with eight other officers from French and US intelligence agencies.
There have been arrests and disruptions this week due to the investigation that has been ongoing for the past few days. Europol had supported the investigation from the very beginning, bringing together all the concerned nations to coordinate a coordinated action.
During the preparation of the current steps, its cybercrime experts conducted 15 coordination meetings along with two week-long sprints. As a consequence of Europol's decision last week to establish a virtual command post for smooth cooperation among all entities involved in cybercrime, the company is also providing analysis, malware, forensic, and crypto-tracing assistance.
This move by the government to bring down the Ragnar Locker ransomware group underlines the importance of international cooperation to combat cybercrimes. Law enforcement officials from different countries worked together to dismantle the infrastructure of the group and arrest its key members as part of this operation.
The Ragnar Locker ransomware group was brought to an end by a remarkable display of international collaboration among law enforcement agencies. International cooperation has proven to be an effective method of safeguarding our digital environment in this particular operation.