Fraud Management & Cybercrime , Ransomware

European Police Dismantle Ragnar Locker Infrastructure

Police Make 1 Arrest, Question Another 5 Suspects
European Police Dismantle Ragnar Locker Infrastructure
Ragnar Locker's dark web data leak site began resolving to this takedown notice on Oct. 19, 2023. (Image: Information Security Media Group)

European police in Paris this week arrested a man accused of being a key developer of Ragnar Locker ransomware in a police operation that seized the group's digital infrastructure in multiple countries.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

A joint action led by French authorities resulted in one arrest and the questioning of five suspects located in Spain and Latvia in coordinated action that began Monday, Europol announced Friday. Police also searched the alleged developer's residence in the Czech Republic.

Police identified Ragnar Locker infrastructure in the Netherlands, Germany and Sweden, which hosted the group's dark web leak site.

Ragnar Locker is a crypto-locking malware functional on the Windows and Linux operating systems. The operators mainly used the double-extortion tactic of stealing data and threatening to leak it to extort ransom from the victims. News of the police operation emerged on Thursday after the ransomware group's dark web site displayed a seizure notice (see: Is the Ragnar Locker Ransomware Group Headed for Oblivion?).

The Friday arrest comes after a joint action carried out by the French, Canadian and U.S. authorities to arrest a Ragnar suspect in Canada in October 2022. Ukrainian police in September 2022 detained two alleged Ragnar operators in cooperation with French and American police agencies.

The Russian-speaking group first appeared in 2019 and mainly targeted large industrial groups in Europe and North America from April 2020 onward. The group was notorious for its large ransom amount, which ranged from $5 million to $70 million. Its victims include energy firm Energias de Portugal, Japanese gaming firm Capcom, aircraft maker Dassault Falcon and Italian liquor-making giant Campari.

In March 2022, the FBI warned that Ragnar Locker appeared to be actively targeting critical infrastructure sectors and had amassed at least 52 U.S. victim organizations across 10 critical infrastructure sectors.

The bust is the latest in a series of actions taken by international law enforcement agencies against ransomware and other cybercrime groups. In September, the U.S. and British authorities sanctioned 11 Russian TrickBot operations. Prior to that, U.S. agencies shuttered QakBot botnet infrastructure. Earlier this year, the FBI seized Hive ransomware servers in a multi-nation takedown.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.