HQ/EMEAFind out how we can help your business
Law enforcement agencies have taken control of dark web extortion websites associated with the Ragnar Locker ransomware operation.
This seizing happened after multiple law enforcement agencies organised a takedown operation in various countries. Currently, visiting these websites results in a message announcing the seizure and revealing the involvement of various law enforcement agencies from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia.
A spokesperson from Europol has confirmed the legitimacy of the seizure message, and they plan to release a press statement.
The Ragnar Locker ransomware operation is one of the longest-operating ransomware organisations.
The Ragnar Locker ransomware group is notorious for targeting enterprises worldwide. Like other ransomware groups, it infiltrates corporate networks, moves across various devices, gathers data, and encrypts the targeted computers within the network.
Using their double-extortion schemes, they used these encrypted files and stolen data to pressure victims into paying a ransom.
However, unlike many modern ransomware operations, Ragnar Locker did not function as a Ransomware-as-a-Service, actively recruiting external affiliates to breach networks and deploy their ransomware while sharing profits. Instead, they operate as a semi-private group, not actively seeking affiliates but collaborating with external pen-testers to compromise networks.
This gang also focused on data theft attacks instead of deploying encryptors. They use the stolen data and post it on their leak site to extort victims. Furthermore, Ragnar Locker more recently shifted to using a VMware ESXi encryptor based on the leaked source code from Babuk’s ransomware.
Interestingly, researchers observed a new ransomware operation named DarkAngels that uses Ragnar Locker’s original ESXi encryptor in an attack on the industrial giant Johnson Controls. This new operation is still a mystery since it could be a subgroup of Ragnar Locker, a rebrand, or if they acquired Ragnar’s source code.
Authorities have constantly faced many challenges against ransomware operations; hence, this takedown is a win for law enforcement and cybersecurity. Alongside the seizure of Ragnar Locker, the Ukrainian Cyber Alliance hacked the Trigona Ransomware operation, retrieving data and wiping their servers.
Overall, these operations indicate that authorities and cybersecurity defenders could take down hacking organisations. However, it is still a long process since numerous malicious groups lurk in the cybercriminal industry.
