Believed to have been in action since at least late 2019, one of the longest-tenured ransomware gangs is now out of business after an international law enforcement raid. Ragnar Locker’s dark web site is no more after raids throughout Europe and in Ukraine that scooped up equipment and led to at least one arrest of an accused leader of the group.
The operation appears to have mostly been conducted by Europol, with servers seized in several different EU countries, but Ukraine law enforcement also reports having searched the home of a suspect. With several suspects searched or interviewed, and what appears to be at least one major arrest, there is some hope this action will put the operators out of business for good.
Law enforcement action indicates Ragnar Locker was largely Europe-based
Ragnar Locker has never been one of the groups at the absolute top of the ransomware world, but has been a persistent and dangerous threat since it was first spotted operating around late 2019. Targeting by law enforcement appears to have been due to its willingness to attack critical infrastructure companies, something that has been putting special attention on other major groups in the past two years. However, the group also appeared to have most of its personnel and infrastructure in Europe.
Ragnar Locker has a particular streak of targeting critical infrastructure, with the FBI issuing an advisory about it in 2022. It was also one of the more impatient and ruthless gangs out there, threatening to immediately drop stolen documents to the public via its dark web site if it suspected that victims were making any kind of contact with law enforcement or a third-party negotiating outfit.
In total Ragnar Locker hit about 168 organizations during a run that spanned nearly four years. This included some Fortune 500 companies, but it seems that its preferences had shifted as of late to whatever utilities and hospitals it could find its way into. The group also did not openly work with affiliates, selecting its own targets for ransomware and extortion attacks.
The group appeared to be winding down in recent months, with little activity posted to its dark web site throughout 2023 until it attacked a hospital in Israel in September. That could be owed to several things, from internal group dissent to awareness that law enforcement was targeting them. When ransomware groups break up the members are generally right back at it with other groups within a space of weeks to months, but the arrests and raids in this case lend some hope that the perpetrators can be jailed.
Ragnar Locker dark web site seized, suspect arrested
The arrest following the dark web site seizure was of a 35 year old Czech man apparently with some sort of a residence in Paris, but authorities said that his home in Czechoslovakia was also searched. Europol also said that suspects in Latvia and Spain were interviewed, and Ukrainian law enforcement reportedly searched the home of a suspect living in Kiev.
Nine servers were taken between other raids in Germany, Sweden and the Netherlands. Law enforcement also reportedly seized some amount of cryptocurrency, but no word yet on that being returned to victims.