Europol reveals Ragnar Locker ransomware gang dismantled following multinational law enforcement operation

Europol, alongside multiple international law enforcement agencies, coordinated a significant operation against the Ragnar Locker ransomware group, leading to the arrest of its main developer in Paris and actions in countries like Czechia, Spain, and Latvia. Additionally, the group’s infrastructure across the Netherlands, Germany, and Sweden was dismantled, with their Tor data leak site being shut down after an extensive multi-country investigation.

“Law enforcement and judicial authorities from eleven countries delivered a major blow to one of the most dangerous ransomware operations of recent years,” Europol disclosed in a media statement last week. “This action, coordinated at international level by Europol and Eurojust, targeted the Ragnar Locker ransomware group. The group were responsible for numerous high-profile attacks against critical infrastructure across the world.”

Close cooperation between the involved law enforcement authorities was also supported by Europol’s Joint Cybercrime Action Taskforce (J-CAT), composed of cybercrime liaison officers posted to Europol’s headquarters.

Authorities from multiple countries collaborated in the investigation, including the National Counter-Terrorism, Extremism, and Cybercrime Agency of Police in the Czech Republic; the National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale – C3N); Germany’s State Criminal Police Office Sachsen (Landeskriminalamt Sachsen) and Federal Criminal Police Office (Bundeskriminalamt); and Italy’s State Police (Polizia di Stato) and Postal and Communication Police (Polizia Postale e delle Comunicazioni). 

Furthermore, Japan’s National Police Agency (NPA); Latvia’s State Police (Latvijas Valsts Policija); the Police of East Netherlands (Politie Oost-Nederland) in the Netherlands; Spain’s Civil Guard (Guardia Civil); the Swedish Cybercrime Centre (SC3); the Cyberpolice Department of the National Police of Ukraine (Національна поліція України); and the Atlanta Field Office of the Federal Bureau of Investigation (FBI) were also part of the investigation. 

The investigation was conducted under the auspices of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

In an action carried out between Oct. 16 and Oct. 20, searches were conducted in Czechia, Spain, and Latvia. The ‘key target’ of this malicious ransomware strain was arrested in Paris, France, on Oct. 16, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. 

At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, was brought in front of the examining magistrates of the Paris Judicial Court, Europol confirmed. “The ransomware’s infrastructure was also seized in the Netherlands, Germany, and Sweden and the associated data leak website on Tor was taken down in Sweden,” it added.   

The international sweep follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. In the framework of this investigation, a first round of arrests was carried out in Ukraine in October 2021 with Europol’s support.

Initially observed in December 2019, Ragnar Locker denotes both a strain of ransomware and the criminal syndicate responsible for its development and operation. Known for its assaults on global critical infrastructure, the malicious entity recently made headlines for its targeting of the Portuguese national carrier and a hospital in Israel.

Designed to exploit vulnerabilities in Microsoft Windows operating systems, this ransomware primarily leveraged exposed services such as Remote Desktop Protocol to infiltrate targeted systems. Operating with a double extortion strategy, the Ragnar Locker group coerced exorbitant payments for decryption tools and the non-disclosure of pilfered sensitive data. Due to its focus on critical infrastructure, Ragnar Locker was classified as a high-level threat.

Ragnar Locker explicitly warned their victims against contacting law enforcement, threatening to publish all the stolen data of victimized organizations seeking help on its dark web ‘Wall of Shame’ leak site, Europol disclosed. 

“All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help”, the Ragnar Locker ransomware gang announced on its hidden website. 

Little did they know that law enforcement was closing in on them, Europol observed.

Last September, the Cybereason Global Security Operations Center (GSOC) team investigated the Ragnar Locker malware line, ransomware, and a ransomware operator, which recently claimed to have breached systems at Greek pipeline company DESFA. The hackers caused a ‘limited scope data breach and IT system outage following a cyberattack’ at the natural gas operator. DESFA said that all industrial operations related to the Greek national natural gas system kept operating as usual, and the damage was only to its IT systems. 

The U.S. FBI confirmed in January 2022 the impact of RagnarLocker ransomware on a minimum of 52 entities across ten critical infrastructure sectors. These ransomware attacks, as of January 2022, have primarily targeted entities within critical manufacturing, energy, financial services, government, and information technology sectors. The agency emphasized the dynamic nature of the RagnarLocker ransomware group, citing their continual adaptation of obfuscation techniques to evade detection and prevention measures.

This is not the first time that international agencies have come together to close down ransomware operations. In January, Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries. The agency supported the shutting down of servers and provided decryption tools to victims. 

At the time, the U.S. Department of Justice announced its ‘months-long disruption’ campaign against the Hive ransomware group had targeted over 1,500 victims across over 80 countries around the world. The hackers have since 2021 targeted hospitals, school districts, financial firms, and critical infrastructure, and received over US$100 million in ransom payments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.