Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ragnar Locker. Show all posts

Ransomware Kingpin Behind Ragnar Locker Arrested in Paris

 


An international law enforcement action coordinated by European Interpol and officials of foreign law enforcement agencies led to the removal of the Ragnar Locker ransomware group on October 20, 2023. Various law enforcement agencies including the French, American, and Japanese law enforcement agencies were involved in the operation, which was conducted by Eurojust and Europol jointly. A notice stating that the group had seized the websites was posted on the group's Tor negotiation and data leak websites indicating that the websites had been taken down. 

As part of a joint international operation, law enforcement agencies arrested a malware developer linked to the Ragnar Locker ransomware gang and seized their dark websites that were previously used to distribute the malware. 168 international companies are believed to have been hit by attacks by the Ragnar Locker ransomware gang since 2020, and throughout that time, they have made over $1 million in profits. 

In a related operation, which was conducted on October 18 and 19 in Paris, a "key target" said to have been involved in the Ragnar Locker ransomware group was arrested as part of this operation. A report on one of the EU's official news outlets, Europa, claims that the developer of the ransomware has also been arrested, in addition to the victim of the ransomware. Law enforcement agencies from around the world have collaborated to make these arrests possible. 

There was an arrest in Paris, France, on October 16, of the "main leader" of the malicious ransomware that was circulating on the Internet. It was also reported that his home in the Czech Republic had been raided by the police. It was found that the alleged leaders of the Ragnar Group developers were brought before the examining magistrate of the Paris Justice Court at the end of a weeklong action. 

It also turned out that the ransomware infrastructure had been confiscated in the Netherlands, Germany, and Sweden. The data leak website associated with the ransomware had also been taken offline in Sweden as well. 

The Ragnar Locker ransomware group was one of the first big game-hunting ransomware groups to steal data in addition to encrypting files and threatening victims with ransom. The Ragnar Locker ransomware operation was not a ransomware-as-a-service (RaaS) operation, but rather an operation in collaboration with external penetration testers to gain first access to victims' networks, as opposed to many other ransomware groups. 

There was an announcement on Friday that at least one arrest had been made after the dark website was seized on Thursday, with at least one arrest being reported on Friday. As a result of the seized negotiation site now being seized by law enforcement, ransomware victims will now receive a message indicating that they are being assisted by law enforcement, even though no assistance has yet been provided for them. 

There was news that a 35-year-old Czech national who was arrested in France on October 16 under suspicion of being the group leader had been detained, and police in his country had searched his residence on suspicion of protecting his activities.

According to Ukrainian authorities, there was a search of a suspect's home in Kyiv and several devices and electronic media were taken from the residence of the suspect. The name of the suspect has not yet been released publicly.  

In late 2019, Ragnar Locker began operating as an affiliate of Maze or MountLocker. The company has been operating since then. There was no doubt that this group was one of the biggest groups in terms of attack volumes or money collected, but it was a significant threat and several critical infrastructure entities in several countries were penetrated by the group as a major threat, making it a priority for law enforcement. 

A central theme that emerges from the groups that are targeted by these major law enforcement campaigns is their tendency to become overly audacious in their attacks on sensitive critical infrastructure, such as power grids, water supply systems, and hospitals. While Ragnar Locker gained notoriety for its high-profile attacks on gaming company Capcom and liquor giant Campari, it is the attacks on entities like Energias de Portugal that truly propelled it up the priority ladder.  

A flash warning issued by the FBI in early 2022 revealed that Ragnar Locker had already breached the defences of 52 critical infrastructure companies across 10 different sectors in the United States up until that point in time. This alarming revelation highlights the scale and impact of Ragnar Locker's activities. 

This investigation was conducted by agents from the US FBI and the French Secret Service, along with representatives of Europol and INTERPOL. As a result of this investigation, two senior Ragnar Locker operatives were arrested, along with eight other officers from French and US intelligence agencies. 

There have been arrests and disruptions this week due to the investigation that has been ongoing for the past few days. Europol had supported the investigation from the very beginning, bringing together all the concerned nations to coordinate a coordinated action. 

During the preparation of the current steps, its cybercrime experts conducted 15 coordination meetings along with two week-long sprints. As a consequence of Europol's decision last week to establish a virtual command post for smooth cooperation among all entities involved in cybercrime, the company is also providing analysis, malware, forensic, and crypto-tracing assistance.  

This move by the government to bring down the Ragnar Locker ransomware group underlines the importance of international cooperation to combat cybercrimes. Law enforcement officials from different countries worked together to dismantle the infrastructure of the group and arrest its key members as part of this operation. 

The Ragnar Locker ransomware group was brought to an end by a remarkable display of international collaboration among law enforcement agencies. International cooperation has proven to be an effective method of safeguarding our digital environment in this particular operation.

Ragnar Locker Taken Down by FBI and Other Police Organizations


The Ragnar Locker ransomware gang's data leak sites have been taken down as a result of an international law enforcement operation by the U.S. Federal Bureau of Investigation, the European Union Agency for Law Enforcement Cooperation, and numerous national police forces.

Prior to the disruption, Ragnar Locker had 100 firms from 27 different industries listed on its data breach site.

Ragnar Locker's leak site was destroyed when TrickBot members were sanctioned, the Hive ransomware operation was stopped, the Russian CyclopsBlink botnet was taken down, and Chinese attacks on Microsoft Exchange servers were stopped.

According to Bleeping Computer, visits to Ragnar Locker's primary dark web leak site now display a message stating, "this service has been seized as part of a coordinated international law enforcement action against the Ragnar Locker group."

A spokesperson for Europol confirms that additional information will be released shortly and that the seizure is legal and a part of an ongoing operation targeting the gang. However, the FBI has denied to comment on the issue. 

Ragnar Locker

Ragnar Locker is a popular double-tap ransomware gang, with its name deriving from its attribute of encrypting files and stealing data, demanding a ransom payment in exchange for both a decryption key and a promise not to release the stolen material. The gang has targeted victims using a variety of tactics over the years, including purchasing Facebook Inc. advertisements in the past to put pressure on its victims to make payments.

Some of the victims of Ragnar Locker include Italian drinks maker Davide Campari-Milano S.p.A, French shipping giant CMA CGM S.A. and Japanese video game developer Capcom Co. Ltd.

Head of the Counter Adversary Operations at CrowdStrike Holdings Inc., Adam Meyers notes that it is anticipated that the law enforcement agencies from the European Union, the US, and Japan will formally announce the seizure of Ragnar Locker's dedicated leak site on Friday.

“VIKING SPIDER is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a dedicated leak site to pressure victims[…]In its period of activity, VIKING SPIDER posted over a hundred victims from 27 sectors to their DLS,” Meyers explained. “CrowdStrike Intelligence assesses that this operation will likely severely impact VIKING SPIDER operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”

Even though "on the surface this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc. Kron cautioned that the sites being shut down can present problems for businesses that have already been hit by a Ragnar Locker ransomware attack but are now without a way to bargain with the criminals. 

“Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover[…]In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group,” he further added.