Law enforcement agencies have successfully seized the dark web negotiation and data leak sites used by the infamous Ragnar Locker ransomware operation. This joint operation, involving multiple countries, is a significant blow to the world of ransomware. In this article, we’ll take a closer look at this operation and delve into the background of the Ragnar Locker gang.
Ragnar Locker Ransomware seizure operation
International law enforcement officials performed a well-coordinated operation that seized the main web infrastructure used by the Ragnar Locker ransomware group. Visitors to these sites are now confronted with a seizure notice that openly indicates that a coalition of law enforcement agencies from the United States, Europe, Germany, France, Italy, Japan, Spain, the Netherlands, the Czech Republic, and Latvia carried out this operation. The message is clear: this is part of a larger campaign against the Ragnar Locker organization.
A Europol official verified the legitimacy of this seizure notice, emphasizing that it is part of an ongoing effort to dismantle the Ragnar Locker ransomware group, says Bleeping Computer. They also promised to provide an official announcement on the successful operation. Meanwhile, the FBI has opted to keep silent on the subject.
Ragnar Locker in the Spotlight
Ragnar Locker, also known as Ragnar_Locker and RagnarLocker, is well-known as one of the longest-running ransomware campaigns. It debuted at the end of 2019, primarily focusing on enterprises. The strategy was well-known: enter business networks, move laterally within them, and exfiltrate data. Following that, the gang would use encryption to secure the network’s machines.
Ragnar Locker’s approach is what distinguishes it. The Ragnar Locker ransomware works differently than many modern ransomware operations, which aggressively recruit affiliates to compromise networks and launch ransomware assaults. It operates semi-private, avoiding aggressive recruitment and working with outsourced penetration testers to attack networks.
Furthermore, unlike most ransomware operations, Ragnar Locker focuses solely on data-stealing activities. They utilize their data leak site to extort their victims, making them a one-of-a-kind and formidable force in the world of cybercrime.
A recent twist in Ragnar Locker’s tactics came to light when cybersecurity researcher MalwareHunterTeam reported their use of a VMware ESXi encryptor, which is based on Babuk’s leaked source code. Intriguingly, a new ransomware player called DarkAngels emerged, utilizing Ragnar Locker’s original ESXi encryptor during an attack on the industrial giant Johnson Controls. The origin and affiliation of DarkAngels remain uncertain, leaving room for speculation.
Notable attacks and law enforcement success
Ragnar Locker ransomware has been involved in several high-profile assaults, including those on Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and even the City of Antwerp, Belgium. The confiscation of their underground websites represents a significant triumph for law enforcement and the ongoing campaign against ransomware.
Surprisingly, the Ukrainian Cyber Alliance (UCA) also garnered news after hacking the Trigona Ransomware gang. UCA could extract data and then wipe the gang’s servers clean. They have vowed to work with law authorities by providing the information they have gathered. This week has been hard for ransomware operators and hopeful for those devoted to stopping their illegal operations.
Featured image credit: Clint Patterson/Unsplash
