Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data leak sites. Show all posts

Ragnar Locker Taken Down by FBI and Other Police Organizations


The Ragnar Locker ransomware gang's data leak sites have been taken down as a result of an international law enforcement operation by the U.S. Federal Bureau of Investigation, the European Union Agency for Law Enforcement Cooperation, and numerous national police forces.

Prior to the disruption, Ragnar Locker had 100 firms from 27 different industries listed on its data breach site.

Ragnar Locker's leak site was destroyed when TrickBot members were sanctioned, the Hive ransomware operation was stopped, the Russian CyclopsBlink botnet was taken down, and Chinese attacks on Microsoft Exchange servers were stopped.

According to Bleeping Computer, visits to Ragnar Locker's primary dark web leak site now display a message stating, "this service has been seized as part of a coordinated international law enforcement action against the Ragnar Locker group."

A spokesperson for Europol confirms that additional information will be released shortly and that the seizure is legal and a part of an ongoing operation targeting the gang. However, the FBI has denied to comment on the issue. 

Ragnar Locker

Ragnar Locker is a popular double-tap ransomware gang, with its name deriving from its attribute of encrypting files and stealing data, demanding a ransom payment in exchange for both a decryption key and a promise not to release the stolen material. The gang has targeted victims using a variety of tactics over the years, including purchasing Facebook Inc. advertisements in the past to put pressure on its victims to make payments.

Some of the victims of Ragnar Locker include Italian drinks maker Davide Campari-Milano S.p.A, French shipping giant CMA CGM S.A. and Japanese video game developer Capcom Co. Ltd.

Head of the Counter Adversary Operations at CrowdStrike Holdings Inc., Adam Meyers notes that it is anticipated that the law enforcement agencies from the European Union, the US, and Japan will formally announce the seizure of Ragnar Locker's dedicated leak site on Friday.

“VIKING SPIDER is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a dedicated leak site to pressure victims[…]In its period of activity, VIKING SPIDER posted over a hundred victims from 27 sectors to their DLS,” Meyers explained. “CrowdStrike Intelligence assesses that this operation will likely severely impact VIKING SPIDER operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”

Even though "on the surface this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc. Kron cautioned that the sites being shut down can present problems for businesses that have already been hit by a Ragnar Locker ransomware attack but are now without a way to bargain with the criminals. 

“Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover[…]In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group,” he further added.