The Ragnar Locker ransomware gang was brought down through an international collaboration between police and authorities such as Europol and the FBI. The group was responsible for well over 100 ransomware attacks - including on critical infrastructure.
This week, law enforcement and judicial authorities from eleven countries dismantled one of the most dangerous ransomware gangs. The action, coordinated internationally by Europol and Eurojust, was directed against the ransomware group Ragnar Locker. The group has been responsible for numerous high-profile attacks on critical infrastructure around the world.
Ragnar Locker knocked out and arrested
As part of an operation between October 16th and 20th, searches were carried out in the Czech Republic, Spain and Latvia. The ransomware group’s “main target” was arrested in Paris, France on October 16 and his home in the Czech Republic was searched. In the following days, five suspects were questioned in Spain and Latvia. At the end of the week of action, the main perpetrator, who is suspected of being a developer of the Ragnar group, was brought before the investigating judges at the Paris regional court.
The group's infrastructure for using the ransomware was seized in the Netherlands, Germany and Sweden and the associated leak website on Tor in Sweden was deleted. The international raid followed a complex investigation conducted by the French National Gendarmerie together with law enforcement agencies from the Czech Republic, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America. As part of this investigation, a first wave of arrests was carried out in Ukraine in October 2021 with the support of Europol.
What kind of malware is Ragnar Locker?
Active since December 2019, Ragnar Locker is the name of a ransomware variant and the criminal group that developed and operated it. The actors have made a name for themselves through attacks on critical infrastructure around the world, most recently against the Portuguese airline and a hospital in Israel.
This ransomware variant targeted devices running Microsoft Windows operating systems and typically used exposed services such as Remote Desktop Protocol to gain access to the system. The Ragnar Locker group was known to use a double extortion tactic, demanding extortionate payments for decryption tools as well as for not releasing the stolen sensitive data.
Law enforcement authorities did not let up
As early as October 2021, investigators from the French Gendarmerie and the US FBI along with specialists from Europol and INTERPOL, deployed to Ukraine to carry out investigative operations alongside the Ukrainian National Police, which resulted in the arrest of two prominent Ragnar Locker operators.
The investigation has continued since then, resulting in arrests and disruptions this week. Europol's European Cybercrime Center Europol supported the investigation from the start and brought together all the countries involved to develop a common strategy.
Its cybercrime specialists organized 15 coordination meetings and two week-long sprints to prepare for the latest measures, in addition to providing support with analysis, malware, forensics and crypto tracing.
International cooperation against Ragnar Locker
The following authorities were involved in the investigation. The investigation was carried out within the framework of the European Multidisciplinary Platform against Criminal Threats (EMPACT).
- Czech Republic: National Agency for Combating Terrorism, Extremism and Cybercrime of the Police of the Czech Republic
- France: National Cybercrime Center of the French Gendarmerie (Gendarmerie Nationale – C3N)
- Germany: Saxony State Criminal Police Office, Federal Criminal Police Office
- Italy: State Police (Polizia di Stato), Postal and Communications Police (Polizia Postale e delle Comunicazioni)
- Japan: National Police Agency (NPA)
- Latvia: State Police (Latvijas Valsts Policija)
- Netherlands: Police of the Eastern Netherlands (Politie Oost-Nederland)
- Spain: Guardia Civil (Guardia Civil)
- Sweden: Swedish Cybercrime Center (SC3)
- Ukraine: Cyberpolice Department of the National Police of Ukraine (Національна поліція України)
- United States: Federal Bureau of Investigation Atlanta Field Office