Ransomware gang RagnarLocker has had its dark web portal seized in an international law enforcement operation led by the pan-European police force Europol.
The cybercriminal gang, thought to operate out of Russia, has been active for the past four years, targeting organisations in the public and private sectors.
Locked down: Ragnar Locker’s online portal disabled
A message on the gang’s dark web page, which it used to post details of victims, says that “this service has been seized as part of a coordinated law enforcement action against the RagnarLocker group”.
Alongside the message, the logos of 15 law enforcement agencies are displayed, including that of Europol and the FBI. A Europol spokesperson told Tech Monitor the agency is “part of an ongoing action against [RagnarLocker]”, and that more details would be released later today.
Also known simply as Ragnar, the group’s ransomware has been on the radar of the FBI since 2020, when the bureau observed it being used to encrypt files belonging to an unnamed “large corporation”, with an $11m ransom demand for the release of 10TB of data.
Since then it has been deployed against cloud service providers, enterprise software vendors and companies in the communications, construction and travel sectors. Known victims include video game publisher Capcom, Portuguese energy supplier Energias de Portugal and Italian drinks conglomerate Campari.
Last August, Tech Monitor reported that RagnarLocker had struck DESFA, the national gas supplier in Greece. The company said at the time that it would not negotiate with the criminals and that gas supply had not been disrupted by the breach. However, it admitted that it had to disable all of its IT systems to contain the problem.
The gang is known for using so-called “double extortion” tactics, where a cash ransom is demanded to decrypt data, while the threat of information being published online is also used as a method to gain additional payments.
Jake Moore, global cybersecurity advisor at ESET, said any takedown by Europol should be regarded as “both significant and impressive”, adding that this particular operation “stands out because of its Russian links and the challenges facing the police”.
Moore said: “Previously, RagnarLocker cautioned victims against reaching out to the police or the FBI about their ransom demands, threatening data exposure if they did. Their financial motivations are usually very clear and with no room to negotiate.
“However, RagnarLocker is not the typical ransomware-as-a-service operator. The gang is focusing mostly on data theft, not data encrypting, so they will probably set up a new channel to extort their victims. And without arrest, there’s little doubt that the criminals behind it have all the opportunity to continue in their malicious activities.”
Europol continues its campaign against cybercriminals
Law enforcement agencies have been actively targeting some of the most dangerous cybercriminal gangs this year. In January, Europol and the FBI took down the Hive ransomware gang’s online infrastructure in an operation involving police from 13 countries.
As part of the bust, officers obtained encryption keys that they believed could help victims of the group’s attacks retrieve stolen data and avoid paying ransoms totalling more than $100m.
In April, dark web marketplace Genesis, at the time one of the largest markets for stolen credentials, was shut down in a bust involving the FBI and the UK’s National Crime Agency. More than 120 arrests were made.
More recently, in August, the FBI announced it had dismantled the Qakbot botnet, a tool that has been used by some of the world’s most prolific ransomware gangs to launch attacks.
Police from the UK and Germany aided the take-down of the botnet, which is thought to have infected more than 700,000 devices worldwide. At the time the FBI said it had seized cryptocurrency worth $8.6m as part of the raid.