View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 20, 2023

Europol sting takes down RagnarLocker ransomware gang

As police continue their campaign against cybercriminals, a notorious gang appears to have been stopped.

By Matthew Gooding

Ransomware gang RagnarLocker has had its dark web portal seized in an international law enforcement operation led by the pan-European police force Europol.

Europol has apparently taken down the online infrastructure of the RagnarLocker ransomware gang. (Photo by PixelBiss/Shutterstock)

The cybercriminal gang, thought to operate out of Russia, has been active for the past four years, targeting organisations in the public and private sectors.

Locked down: Ragnar Locker’s online portal disabled

A message on the gang’s dark web page, which it used to post details of victims, says that “this service has been seized as part of a coordinated law enforcement action against the RagnarLocker group”.

Alongside the message, the logos of 15 law enforcement agencies are displayed, including that of Europol and the FBI. A Europol spokesperson told Tech Monitor the agency is “part of an ongoing action against [RagnarLocker]”, and that more details would be released later today.

Also known simply as Ragnar, the group’s ransomware has been on the radar of the FBI since 2020, when the bureau observed it being used to encrypt files belonging to an unnamed “large corporation”, with an $11m ransom demand for the release of 10TB of data.

Since then it has been deployed against cloud service providers, enterprise software vendors and companies in the communications, construction and travel sectors. Known victims include video game publisher Capcom, Portuguese energy supplier Energias de Portugal and Italian drinks conglomerate Campari.

Last August, Tech Monitor reported that RagnarLocker had struck DESFA, the national gas supplier in Greece. The company said at the time that it would not negotiate with the criminals and that gas supply had not been disrupted by the breach. However, it admitted that it had to disable all of its IT systems to contain the problem.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The gang is known for using so-called “double extortion” tactics, where a cash ransom is demanded to decrypt data, while the threat of information being published online is also used as a method to gain additional payments.

Jake Moore, global cybersecurity advisor at ESET, said any takedown by Europol should be regarded as “both significant and impressive”, adding that this particular operation “stands out because of its Russian links and the challenges facing the police”.

Moore said: “Previously, RagnarLocker cautioned victims against reaching out to the police or the FBI about their ransom demands, threatening data exposure if they did. Their financial motivations are usually very clear and with no room to negotiate.

“However, RagnarLocker is not the typical ransomware-as-a-service operator. The gang is focusing mostly on data theft, not data encrypting, so they will probably set up a new channel to extort their victims. And without arrest, there’s little doubt that the criminals behind it have all the opportunity to continue in their malicious activities.”

Europol continues its campaign against cybercriminals

Law enforcement agencies have been actively targeting some of the most dangerous cybercriminal gangs this year. In January, Europol and the FBI took down the Hive ransomware gang’s online infrastructure in an operation involving police from 13 countries.

As part of the bust, officers obtained encryption keys that they believed could help victims of the group’s attacks retrieve stolen data and avoid paying ransoms totalling more than $100m.

In April, dark web marketplace Genesis, at the time one of the largest markets for stolen credentials, was shut down in a bust involving the FBI and the UK’s National Crime Agency. More than 120 arrests were made.

More recently, in August, the FBI announced it had dismantled the Qakbot botnet, a tool that has been used by some of the world’s most prolific ransomware gangs to launch attacks.

Police from the UK and Germany aided the take-down of the botnet, which is thought to have infected more than 700,000 devices worldwide. At the time the FBI said it had seized cryptocurrency worth $8.6m as part of the raid.

Read more: UK and Five Eyes allies issue warning over Chinese IP theft

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.