[ad_1]
An international group of law enforcement agencies has disrupted the infamous RagnarLocker ransomware operation.
An international law enforcement operation involving agencies from the US, EU and Japan had seized the RagnarLocker group’s dark web portal, TechCrunch reported Thursday. The portal, which the gang used to extort their victims by publishing their stolen data, now reads: “This service has been seized as part of a coordinated international law enforcement action against the RagnarLocker Group.”
Announcing the takedown on Friday, Europol confirmed it had taken coordinated action against Ragnarlocker, which it said was responsible for “several high-profile attacks”. The European Police Agency also confirmed the arrest on 16 October of a 35-year-old man in Paris, whom authorities have accused of being the “main perpetrator” of the operation. Authorities searched the home of an alleged RagnarLocker developer in the Czech Republic. Alleged associates of the developer were also interviewed in Spain and Latvia.
RagnarLocker infrastructure was also seized in the Netherlands, Germany and Sweden. According to Eurojust, the EU agency that coordinates criminal justice cooperation across the bloc, a total of nine servers were seized: five in the Netherlands, two in Germany and two in Sweden. Eurojust also reports that it has seized various cryptocurrencies, although their value is currently unknown.
Ukrainian authorities, which were part of the 11-nation operation, said in a separate announcement on Friday that its officers had searched the premises of another Ragnarlocker suspect near Kiev and recovered laptops, mobile phones and other electronic media.
In a press release, Italy’s Polizia di Stato (State Police) confirmed its participation in the coordinated international effort, which it called “Operation Mole”. The Italian law enforcement agency also published a video showing footage of a raid carried out by French, Italian and Czech police agents, presumably at the home of the 35-year-old man they arrested.
RagnarLocker is the name of both a ransomware strain and the criminal group that developed and operates it. The gang, which some security experts have linked to Russia, has been seen targeting victims since 2020, and has primarily attacked organizations in critical infrastructure sectors.
Authorities are raiding the home of the alleged developer of the RagnarLocker ransomware. Image Credit: state police (Opens in a new window)
In an alert published last year, the FBI warned that it had identified at least 52 US entities across 10 critical infrastructure sectors, including manufacturing, energy and government, that were affected by the RagnarLocker ransomware. At the same time, the FBI released indicators of compromise linked to RagnarLocker, including Bitcoin addresses used to collect ransom demands and email addresses used by the gang’s operators.
In its announcement on Friday, Ukrainian police said that since 2020 the RagnarLocker group attacked 168 international companies in Europe and the United States and stole their data. The group demanded $5 to $70 million dollars in cryptocurrency from its victims.
If a victim refuses to pay or notifies law enforcement about the intrusion, the hackers will publish the victim’s data on the group’s seized dark web site.
“Ragnar Locker explicitly warned his victims against contacting law enforcement, publishing all stolen data from victim organizations seeking help on his dark web ‘Wall of Shame’ leak site,” Europol said on Friday. “Threatened.” “Little did they know that law enforcement was closing in on them.”
Although the gang has been under the surveillance of law enforcement for some time, RagnarLocker has been targeting victims as recently as this month, according to ransomware tracker RansomWatch. In September, the gang claimed responsibility for the attack on Israel’s Maayene HaYeshua hospital and threatened to leak more than a terabyte of data allegedly stolen during the incident.
Lorenzo Franceschi-Bicchierai contributed reporting and writing. This article was first published on 19 October, and was updated with new details and comment from Europol and Italy’s Polizia di Stato (State Police).
