Skip links

Europol knocks RagnarLocker offline in second major ransomware bust this year

Law enforcement agencies have taken over RagnarLocker ransomware group’s leak site in an internationally coordinated takedown.

Among the agencies involved are Europol’s European Cybercrime Centre (EC3), the US’s Federal Bureau of Investigation (FBI), and Germany’s Bundeskriminalamt (BKA), among many others.

The takedown follows a concerted effort from law enforcement in recent years to shutter ransomware groups as their success continues to exceed previous records.

In January this year, the FBI led the way in taking down the Hive group, handing out decryption keys to more than 300 victims. The Bureau calculated the potential savings in ransom fees to be around $130 million.

At the time, FBI director Christopher Wray said only about 40 percent of Hive’s victims contacted the FBI about the incident. 

A known tactic of RagnarLocker is to dissuade victims from contacting domestic law enforcement, a fact that makes the latest bust extra special, according to Jake Moore, global cybersecurity advisor at ESET.

“Any takedown by Europol is both significant and impressive but this seems to have extra kudos due to its Russian origin and it reflects the power of trying to suppress law enforcement help,” he told The Register.

“In the past, RagnarLocker has warned their victims not to contact the police or FBI concerning their ransoms demands or face the threat of having their data published. Therefore, this takedown will come as an extra blow to the ransomware group who clearly have a bone of contention with the authorities.”

Asked about the takedown, Europol declined to comment any further, other than that it’s “part of an ongoing action against this ransomware group.” More details are expected to be released via official channels tomorrow.

RagnarLocker's dark web leak site seized and defaced by international law enforcement agencies

What is RagnarLocker?

Emerging in late 2019 or early 2020, depending on which security company’s reports you read, the location of RagnarLocker has never been conclusively proven. 

Many different European and Asian countries have been linked to the gang that uses its own eponymous ransomware payload, though Russia and Ukraine are among those most often floated.

The FBI was prompted to release an advisory in March 2022 alerting organizations to its typical mission objectives – targeting critical infrastructure.

It said at the time that 52 critical infrastructure organizations had been successfully targeted by the group. This included victims in the manufacturing and energy sectors, as well as finance, government, and IT. 

It came just a year after one of the largest attacks on critical infrastructure in US history swept headlines, at a time where attacks on critical infrastructure were still certainly high up on the list of the US’ concerns.

DarkSide’s attack on Colonial Pipeline caused major disruption to the East Coast of the US, and prompted the Biden administration to issue Executive Order 14028: Improving the Nation’s Cybersecurity in response.

RagnarLocker are also well-known for adopting a double extortion model and was notoriously staunch on its approach to negotiations.

Most modern ransomware groups are open to negotiating fees, as long as the negotiations don’t hurt their feelings. RagnarLocker was known for its take-it-or-leave-it stance on issuing ransom demands. 

The gang was previously considered one of the most dangerous in operation, though it hasn’t been as active in 2023.

It was omitted from Microsoft’s latest Digital Defense Report, which ranked the top ransomware groups in operation currently.

The only major attack claimed by RagnarLocker in the past year was on an Isareli hospital – an incident that saw it leak 400GB of data of an alleged total 1TB stolen, part of its telltale double extortion tactic. Well… former tactic, now.  ®