Ransomware gang RagnarLocker has leaked data from police in Belgium, exposing 16 years of information kept on record by the force, including child abuse images which were reportedly included in the cache of documents by mistake. The attack has been confirmed by the police in the Zwijndrecht region, with its chief describing the attack as “very painful.”
The attack took place in September. RagnarLocker has now started to leak the stolen data. Thousands of files have reportedly been exposed, including crime report files, car number plates and investigation reports.
How the Belgian police data leaked
The Zwijndrecht police has confirmed via Facebook that the leaks are real, but tried to play down the impact of the attack.
The force said “internet criminals were able to access the administrative network,” and that, “police personnel have been informed”.
Police chief Marc Snels subsequently told a local news network that the scope of the damage may be worse than the statement implies. While most of the information leaked belonged to the staff at the unit, sensitive data was also exposed by the criminals. It is thought they did this in error, not knowing that it was part of the data leak. “That is very painful, of course,” Snels said.
The hackers appear to have targeted a poorly secured Citrix device, which gave them access to the police network. The gang may have been confused about who they were hacking, however, as when the data was published onto its dark web blog, it was originally named the Belgian Municipality of Zwijndrecht. This implies that the hackers may have attacked the wrong organisation.
This is the second successful attack on Belgian critical national infrastructure this year. In February, oil facilities in several Belgian ports were hit with a cyberattack.
Ragnar Locker targets critical infrastructure
Initially spotted in April 2020, Ragnar Locker is a ransomware gang that writes its own malware for Windows and Linux. The gang is also known to employ double extortion tactics, according to a report by security company Fortinet.
The FBI released an advisory about the gang earlier this year. As of January 2022, the FBI has identified at least 52 entities across ten critical infrastructure sectors affected by Ragnar Locker ransomware.
This includes organisations in critical manufacturing, energy, financial services, government and IT sectors. “Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the FBI said.
Its campaign against infrastructure providers has included a strike against DESFA, Greece’s largest natural gas supplier.