DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ragnar Locker ransomware gang taken down by international police swoop — Europol

Posted on October 20, 2023 by Dissent

The announcement from Europol we’ve been waiting for:

This week, law enforcement and judicial authorities from eleven countries delivered a major blow to one of the most dangerous ransomware operations of recent years.

This action, coordinated at international level by Europol and Eurojust, targeted the Ragnar Locker ransomware group. The group were responsible for numerous high-profile attacks against critical infrastructure across the world.

In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.

This international sweep follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America.

In the framework on this investigation, a first round of arrests were carried out in Ukraine in October 2021 with Europol’s support.

What kind of malware is Ragnar Locker?

Active since December 2019, Ragnar Locker is the name of a ransomware strain and of the criminal group which developed and operated it.

This malicious actor made a name for itself by attacking critical infrastructure across the world, having most recently claimed the attacks against the Portuguese national carrier and a hospital in Israel.

This strain of ransomware targeted devices running Microsoft Windows operating systems and would typically exploit exposed services like Remote Desktop Protocol to gain access to the system.

The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen.

The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure.

Don’t call the cops

Ragnar Locker explicitly warned their victims against contacting law enforcement, threatening to publish all the stolen data of victimised organisations seeking help on its dark web ‘Wall of Shame’ leak site.

“All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help”, the Ragnar Locker ransomware gang announced on its hidden website.

Little did they know that law enforcement was closing in on them.

Back in October 2021, investigators from the French Gendarmerie and the US FBI, together with specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, leading to the arrest of two prominent Ragnar Locker operators.

The investigation continued ever since, leading to the arrests and disruption actions this week. Europol’s European Cybercrime Centre Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy.

Its cybercrime specialists organised 15 coordination meetings and two week-long sprints to prepare for the latest actions, alongside providing analytical, malware, forensic and crypto-tracing support. A virtual command post was set up this week by Europol to ensure seamless coordination between all the authorities involved.

Eurojust support:

The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries that supported the investigation. Eurojust set up a coordination centre during the action week to enable rapid cooperation between the judicial authorities involved.

The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:

This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.

Close cooperation between the involved law enforcement authorities was also supported by Europol’s Joint Cybercrime Action Taskforce (J-CAT), composed of cybercrime liaison officers posted to Europol’s headquarters.

The following authorities took part in the investigation:

•    Czechia: National Counter-Terrorism, Extremism and Cybercrime Agency of Police of the Czech Republic
•    France: National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale – C3N)
•    Germany: State Criminal Police Office Sachsen (Landeskriminalamt Sachsen), Federal Criminal Police Office (Bundeskriminalamt)
•    Italy: State Police (Polizia di Stato), Postal and Communication Police (Polizia Postale e delle Comunicazioni)
•    Japan: National Police Agency (NPA)
•    Latvia: State Police (Latvijas Valsts Policija)
•    Netherlands: Police of East Netherlands (Politie Oost-Nederland)
•    Spain: Civil Guard (Guardia Civil)
•    Sweden: Swedish Cybercrime Centre (SC3)
•    Ukraine: Cyberpolice Department of the the National Police of Ukraine (Національна поліція України)
•    United States: Atlanta Field Office of the Federal Bureau of Investigation

The investigation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

Empact

The European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats posed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic and operational cooperation between national authorities, EU institutions and bodies, and international partners. EMPACT runs in four-year cycles focusing on common EU crime priorities.

Related posts:

  • AlphaBay and Hansa taken down in coordinated operations by FBI and Dutch National Police
  • RaidForums seized in Operation TOURNIQUET; forum’s administrator and two accomplices arrested
  • Two members of ransomware gang arrested in Ukraine with Europol’s support
  • Europol Publishes Law Enforcement and Industry Report on Spear Phishing
Category: MalwareOf Note

Post navigation

← France frees the two biggest Spanish hackers
D.C. Board of Elections revises its estimate of data breach — could be entire voter roll →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.