Police seize Ragnar Locker leak site

Law enforcement agencies from more than a dozen countries seized a website used by the criminal hacking group known as Ragnar Locker to leak stolen data and information, according to a message posted to the site’s front page.

The seizure is the latest in a string by global law enforcement agencies to take down the public facing websites and infrastructure of ransomware groups.

The extent to which Thursday’s operation — which was carried out by a coalition of law enforcement agencies that included the FBI, German police and Japanese authorities — disrupted the ransomware operation is unclear. “This service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group,” a message on the Ragnar Locker website reads.

A “key target” of the group, believed to be a developer, was arrested in Paris on October 16, Europol said in a statement Friday. An additional five suspects in Spain and Latvia were interviewed, according to the statement, and authorities seized the group’s infrastructure in the Netherlands, Germany and Sweden.

The arrest of two ransomware operators in Ukraine in September 2021 led to this week’s action against Ragnar Locker, according to the statement. Law enforcement officials from 11 countries were involved, including Czechia, France, Germany, Italy, Japan, Latvia, Netherlands, Spain, Sweden, Ukraine and the United States.

Ragnar Locker dates to 2019, making it one of the most enduring ransomware operations, according to the tech news site Bleeping Computer. The group was somewhat unique in the ransomware landscape, the site noted, given that it was more closed to outsiders than many other criminal hacking groups. While the group would work with outside hackers to breach systems, it was far less willing to take on affiliates or sell its services to outsiders.

The group was also unusual in the criminal hacking landscape in that it would often eschew encrypting data and demanding a ransom to decrypt it, preferring to instead steal data outright and demand payment in exchange for not leaking it online.

Adam Meyers, Crowdstrike’s head of counter adversary operations, said that Ragnar Locker, which his firm tracks as “Viking Spider,” represented one of the first “Big Game Hunting” groups that attacked large targets with the aim of securing significant payouts, rather than targeting smaller entities, and then leveraged the threat of publicizing stolen data to pressure its victims into paying up.

According to Meyers, the group posted data belonging to 100 victims to its leak site across 27 sectors during its run. As of January 2022, the FBI had identified at least 52 entities across 10 critical infrastructure sectors affected by the group, the agency said in a March 2022 alert.

Thursday’s action is the latest in a string of law enforcement operations aimed at disrupting cybercrime and nation-state cyber operations and infrastructure. Last month, authorities in the U.S. and the U.K. announced sanctions against 11 members of the notorious Trickbot cybercrime syndicate and unveiled indictments in the U.S. against some of the members.

Previous operations targeted infrastructure used by the Hive ransomware group, the Russian military-controlled CyclopsBlink botnet and a Chinese-linked effort to exploit vulnerable Microsoft Exchange servers.

During remarks in April, U.S. Deputy Attorney General Lisa Monaco said that U.S. prosecutors and investigators are directed to have “a bias toward action to disrupt and prevent” cyber crime.

Correction, Oct. 20, 2023: An earlier version of this article mis-stated the number of law enforcement agencies that participated in the operation against Ragnar Locker. Law enforcement agencies from 11 countries were involved.