EU Authorities Deal Blow to RagnarLocker Ransomware Operations
Law enforcement agencies throughout Europe and the United States took a big swing at the notorious RagnaLocker ransomware group, arresting a malware developer, seizing parts of its infrastructure, and shutting down negotiations and leak sites on the Tor network.
During the operation, which stretched over the last four days and multiple European countries, authorities also seized an amount of cryptocurrency, according to the European Union Agency for Criminal Justice Cooperation (Eurojust).
“The current operation focused on identifying and shutting down some of the servers used by the hacker group, particularly those used for the exfiltration and publication of data,” Eurojust wrote in a statement. “During the action days, simultaneous searches and hearings of suspects took place in France, Spain, Latvia and the Czech Republic.”
RagnarLocker began operations in late 2019, quickly gaining the reputation as an active and aggressive ransomware group targeting corporate networks. The bad actors used double-extortion tactics – it not only encrypted files but also stole data and demanded ransom for decryption keys and promises that it wouldn’t make the stolen data public.
A Dangerous Threat Group
SentinelOne researchers described RagnarLocker as “a dangerous threat group that does not tolerate the use of ‘negotiation’ or ‘recovery’ companies during ransom negotiations. Furthermore, they often use different ransomware payloads from other malicious developers, keeping their malware up-to-date.”
Eurojust said the group would ask for ransoms between $5 million and $70 million. Ragnar Locker is suspected of committing attacks against 168 international companies around the world since 2020.
The takedown operation that ran between October 16 and October 20 was coordinated by law enforcement officials from France. Beyond the searches and hearings in France, Latvia, Spain, and Czech Republic, nine servers were taken down, including five in the Netherlands, two in Germany, and two in Sweden.
The group’s alleged malware developer – described by Eurojust as being the “main perpetrator” – was arrested and brought before magistrates in the Paris Judicial Court.
Other countries participating in the operation against RagnarLocker included Ukraine and Japan. Europol also was involved in the case, which was opened in May 2021 by Eurojust at the request of France.
Ukraine’s Cyber Police Department said in its own statement that its law enforcement officers conducted searches in the capital city of Kyiv of one of the group’s alleged members, seizing laptops, mobile phones, and electronic media.
Division of Duties
Ukraine officials also gave a glimpse of how the group divvied up duties among its members.
“Individual members were responsible for gathering information and finding vulnerabilities in the victims’ cybersecurity architecture,” they said. “They transferred the collected information to accomplices with computer programming skills. The latter were responsible for creating and modifying malicious software in order to further damage a specific company.”
This was the third law enforcement action taken against RagnarLocker in the last two years. A coordinated operation between France, Ukraine, and the United States led to the arrest of two suspects in Ukraine. Thirteen months later, another action by U.S., Canadian, and French authorities led to the arrest of another suspect.
A Big Blow, But Likely Not Lethal
Eurojust said the operation “dealt an important blow” to RagnarLocker, but it will take time to see how big a hole it blew in the group’s operations.
The FBI and other law enforcement agencies conducted a raid in August that shut down the infrastructure of the Qakbot malware group. However, despite the action, the bad actors behind Qakbot continued to run a campaign that began before the raid using phishing attacks to distribute ransomware and a remote access trojan (RAT).
However, the FBI also this year led the takedown of the Hive ransomware group, which seems to have had a more lasting effect on that operation.
Ngoc Bui, cybersecurity expert at Menlo Security, told Security Boulevard that the seizure of RagnarLocker’s infrastructure seems like a big deal for such an active ransomware group and will make it more difficult for it to carry out attacks. In addition, it sends a message to other cybercriminals that law enforcement around the world is taking ransomware seriously.
Andi Ursry, cyber threat intelligence analyst at Optiv, agreed, telling Security Boulevard that “disrupting a group like RagnarLocker highlights the increased focus and attention law enforcement has placed on stopping these groups.”
However, the long-term impact on the RagnarLocker operators is unknown, Ursry said, adding that they will rebrand, something that has happened with other groups in the past.
There probably will be at least a short-term impact on the group, Menlo’s Bui said. Such actions can be effective, but ransomware gangs often can regroup and quickly set up new infrastructure, though seizures may make it more difficult and costly to operate. That said, having its infrastructure shut down is likely a temporary setback for RagnarLocker.
“The likelihood of this being a setback and not a takedown makes this less of a big deal,” Bui said. “It’s more of a ‘grab your popcorn and see what happens.’”
