Europol dismantles Ragnar Locker Ransomware Infrastructure, Nabs Key Developer

Ragnar Locker Ransomware

Europol announced on Friday the removal of infrastructure related to the Ragnar Locker ransomware, along with the arrest of a “main target” in France.

“In an action carried out between 16 and 20 October, searches were carried out in Czechia, Spain, and Latvia,” the agency SAYS. “The main culprit, suspected to be a developer of the Ragnar group, was brought before the investigating magistrates of the Paris Judicial Court.”

Five other associates of the ransomware gang are said to have been interviewed in Spain and Latvia, along with servers and the data leak portal obtained in the Netherlands, Germany, and Sweden.

The effort is the latest coordinated exercise involving authorities from the Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects linked to the ransomware crew was previously arrested from Ukraine in 2021. A year later, another member was arrested in Canada.

Ragnar Locker, which first emerged in December 2019, is known for a series of targeted attacks. critical infrastructure entities all over the world. According to Eurojust, the group has already done so attack against 168 international companies worldwide since 2020.

“The Ragnar Locker group is known to be using a double extortion tactic, demanding extortion payments for decryption tools as well as for the non-release of sensitive data stolen,” Europol said.


Adam Meyers, head of Counter Adversary Operations at CrowdStrike, described Ragnar Locker (aka Viking Spider) as “one of the first Big Game Hunting ransomware adversaries to use the threat of publishing stolen data on a ( data leak site) to victims of pressure.”

The Cyber ​​​​Police of Ukraine SAYS it conducted raids on one of the suspected members’ premises in Kyiv, confiscating laptops, mobile phones and electronic media.

Law enforcement action coincides with the Ukrainian Cyber ​​​​Alliance (UCA) infiltrating and extinguish the leak site operated by the Trigona ransomware group and eliminated 10 of the servers, but not before exfiltrating the data it stored. There is evidence to suggest that the actors of Trigona using Atlassian Confluence for their activities.

Just as the dismantling of Hive and Ragnar Locker represent ongoing efforts to tackle the ransomware threat, so too are the initiatives taken by threat actors to evolve and rebrand under new names. Hive, for example, has resurfaced as Hunters International.

The development comes as India’s Central Bureau of Investigation, based on information shared by Amazon and Microsoftit said invaded 76 locations in 11 states in a nationwide crackdown aimed at dismantling the infrastructure used to facilitate cyber-enabled financial crimes such as tech support scams and cryptocurrency fraud.

The exercise, dubbed Operation Chakra-II, led to the seizure of 32 mobile phones, 48 ​​laptops/hard disks, images of two servers, 33 SIM cards, and pen drives, as well as a dump of 15 email accounts.

It also follows the extradition of Sandu Diaconu, a 31-year-old Moldovan national, from the UK to the US to face charges related to his role as administrator of the E-Root Marketplace, a website that offers access of more than 350,000 compromised. computer credentials worldwide for ransomware attacks, unauthorized wire transfers, and tax fraud.


The website, which was operational in January 2015, was taken down in 2020 and Diaconu was arrested in the UK in May 2021 while trying to flee the country.

“E-Root Marketplace operates a widely distributed network and takes steps to hide the identities of its administrators, buyers, and sellers,” the US Department of Justice (DoJ) SAYS this week.

“Buyers can search for compromised E-Root computer credentials, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system .”

In a related law enforcement action, Marquis Hooper, a former US Navy IT manager, is sentenced to five years and five months in prison for illegally obtaining 9,000 US citizens’ personally identifiable information (PII) and selling it on the dark web for $160,000 in bitcoin.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment