View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 29, 2022

RagnarLocker’s Belgian police data leak includes child sex abuse material

It is thought sensitive information was included in error when criminals posted information from police online.

By Claudia Glover

Ransomware gang RagnarLocker has leaked data from police in Belgium, exposing 16 years of information kept on record by the force, including child abuse images which were reportedly included in the cache of documents by mistake. The attack has been confirmed by the police in the Zwijndrecht region, with its chief describing the attack as “very painful.”

Belgian police data leaked
Belgian Police unit has lost a huge cache of data, from 2006 to September 2022, which is now being leaked online. (Photo by CapturePB/Shutterstock)

The attack took place in September. RagnarLocker has now started to leak the stolen data. Thousands of files have reportedly been exposed, including crime report files, car number plates and investigation reports. 

How the Belgian police data leaked

The Zwijndrecht police has confirmed via Facebook that the leaks are real, but tried to play down the impact of the attack.

The force said “internet criminals were able to access the administrative network,” and that, “police personnel have been informed”.

Police chief Marc Snels subsequently told a local news network that the scope of the damage may be worse than the statement implies. While most of the information leaked belonged to the staff at the unit, sensitive data was also exposed by the criminals. It is thought they did this in error, not knowing that it was part of the data leak. “That is very painful, of course,” Snels said.

The hackers appear to have targeted a poorly secured Citrix device, which gave them access to the police network. The gang may have been confused about who they were hacking, however, as when the data was published onto its dark web blog, it was originally named the Belgian Municipality of Zwijndrecht. This implies that the hackers may have attacked the wrong organisation. 

This is the second successful attack on Belgian critical national infrastructure this year. In February, oil facilities in several Belgian ports were hit with a cyberattack.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Ragnar Locker targets critical infrastructure

Initially spotted in April 2020, Ragnar Locker is a ransomware gang that writes its own malware for Windows and Linux. The gang is also known to employ double extortion tactics, according to a report by security company Fortinet. 

The FBI released an advisory about the gang earlier this year. As of January 2022, the FBI has identified at least 52 entities across ten critical infrastructure sectors affected by Ragnar Locker ransomware. 

This includes organisations in critical manufacturing, energy, financial services, government and IT sectors. “Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the FBI said.

Its campaign against infrastructure providers has included a strike against DESFA, Greece’s largest natural gas supplier.

Read more: Ransomware gang steals information and taunts victim on LinkedIn

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.