A coalition of international law enforcement agencies has successfully disrupted the infamous RagnarLocker ransomware group’s operations.
The joint operation, comprising of agencies from the U.S., European Union, Japan, and more, has seized the group’s dark web portal used for extorting victims by releasing stolen data. Visitors to the portal are now greeted with a message indicating its seizure by international law enforcement.
Europol announced the intervention, detailing the group’s involvement in “numerous high-profile attacks.” A 35-year-old individual in Paris, believed to be the central figure behind RagnarLocker, was arrested on October 16. Investigations spanned across Europe, with the primary developer’s residence being searched in the Czech Republic, while associates were questioned in Spain and Latvia.
Operational infrastructures in the Netherlands, Germany, and Sweden linked to RagnarLocker were also confiscated. Eurojust, the EU’s justice cooperation unit, reported the seizure of nine servers across these countries. Cryptocurrencies were seized, but their value remains undisclosed.
Ukrainian officers, integral to the 11-country coalition, inspected a property near Kiev, leading to the recovery of various electronic devices linked to another suspect.
The Italian State Police, or Polizia di Stato, revealed its participation in this initiative, termed “Operation Mole.” A video released showcases a coordinated raid involving French, Italian, and Czech officers.
RagnarLocker, both the name of the malware and the associated criminal entity, has been operational since 2020, targeting critical infrastructure organizations. Ties to Russia have been speculated by some security experts.
The FBI, in a previous alert, had identified over 52 U.S. entities across vital sectors, such as energy, manufacturing, and government, that had been compromised by RagnarLocker. Indicators of compromise, including Bitcoin and email addresses linked to the group, were released.
Ukraine’s police shared that, since 2020, 168 global companies in the U.S. and Europe had been targeted by the group, with ransoms ranging from $5 to $70 million in cryptocurrency. Those who resisted payment or contacted authorities would have their data exposed on the group’s dark web portal.
Europol emphasized the group’s threats against victims reaching out to law enforcement, promising to publicize stolen data on its dark web “Wall of Shame.” The agency highlighted the irony, saying, “Little did they know that law enforcement was closing in on them.”
Recent activities of RagnarLocker include an assault on Israel’s Mayanei Hayeshua hospital in September, with the gang threatening to disclose over a terabyte of data supposedly extracted during the event.