Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group’s dark web sites in a joint international operation.
Authorities from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States were part of this international operation targeting the Ragnar Locker ransomware gang.
In Spain, Latvia, and the Czech Republic, police agents have also raided multiple locations believed to be connected to other Ragnar Locker suspects.
The Ragnar Locker ransomware gang is believed to have carried out attacks against 168 international companies globally since 2020.
“In an action carried out between 16 and 20 October, searches were conducted in three different countries and in total six suspects were heard in the Czech Republic, Spain, Latvia and France. Furthermore, nine servers were taken down; five in the Netherlands, two in Germany and two in Sweden,” Europol said today.
“At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”
“One of the developers of the malicious software was detained in France,” the Ukrainian cyberpolice added in a separate statement.
This joint operation marks the third action taken against the same ransomware gang. In September 2021, coordinated efforts involving French, Ukrainian, and US authorities led to the arrest of two suspects in Ukraine.
Subsequently, in October 2022, another suspect was apprehended in Canada through a joint operation conducted by French, Canadian, and US law enforcement agencies.
“The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries supporting the investigation,” Europol said.
“Eurojust set up a coordination centre during the action week to enable rapid cooperation between the judicial authorities involved.”
During the coordinated operation, law enforcement agents also successfully seized cryptocurrency assets and took down the Ragnar Locker’s Tor negotiation and data leak sites on Thursday.
“This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group,” a banner displayed on Ragnar Locker’s data leak site reads.
Alongside the successful seizure of Ragnar Locker’s infrastructure, the Ukrainian Cyber Alliance (UCA) hacked the Trigona Ransomware operation, successfully retrieving data and wiping the cybercriminals’ servers.
The Ragnar Locker (also known as Ragnar_Locker and RagnarLocker) ransomware operation surfaced in late December 2019 when it started targeting enterprise victims worldwide.
In contrast to many modern ransomware gangs, Ragnar Locker did not operate as a Ransomware-as-a-Service, where affiliates are recruited to breach targets’ networks and deploy the ransomware in exchange for a share of the revenue.
Instead, Ragnar Locker operated semi-private, as they didn’t actively recruit affiliates, choosing to collaborate with external penetration testers to breach networks.
Its list of previous victims includes prominent entities such as computer chip manufacturer ADATA, aviation giant Dassault Falcon, and Japanese game maker Capcom.
According to a March 2022 FBI advisory, this ransomware has been deployed on the networks of at least 52 organizations across various critical infrastructure sectors in the United States since April 2020.