The arrest in Paris on October 16 of a key figure associated with the Ragnar Locker ransomware gang is a significant victory in the fight against cybercrime. In a press release dated October 20, Europol announced the success of this internationally coordinated action. This operation, carried out by police and judicial authorities in eleven countries, has dealt a severe blow to one of the most active ransomware gangs of recent years. This arrest is the result of unprecedented international cooperation between different law enforcement agencies. It underlines the global determination to track down and neutralize cybercriminals, regardless of where they operate.
A large-scale operation
The Ragnar Locker ransomware gang has been on the radar of international authorities for some time. Since its creation in December 2019 the group has been linked to attacks against 168 major corporations around the world. Such a scale of operations required a response to match.
Eurojust (the European Union Agency for Judicial Cooperation in Criminal Matters), in collaboration with the French authorities, opened an investigation into the gang in May 2021. This led to a series of coordination meetings involving several nations to ensure smooth judicial collaboration throughout the investigation.
The recent arrest in France was not an isolated event. As part of the joint operation, five suspects were questioned in Spain and Latvia. In addition, Ukrainian police carried out a raid in Kyiv, resulting in the seizure of several electronic devices, including laptops and cell phones, from another suspected gang member.
Successful international collaboration
The arrest in France marks the latest in a series of joint operations against the Ragnar Locker gang. The group had already come under pressure in September 2021, when collaboration between French, Ukrainian and US authorities led to the arrest of two of its members in Ukraine. This momentum continued in October 2022 when another member was arrested in Canada, thanks to a joint effort by French, Canadian and American law enforcement agencies.
Servers seized in Europe and closure of the Ragnar Locker site
One of the highlights of the operation was the seizure of the Ragnar Locker Tor trading and data leakage sites, which were shut down on a recent Thursday. Law enforcement didn’t stop there. They managed to shut down nine servers associated with the group: five in the Netherlands, two in Germany and two in Sweden. Visitors to the Ragnar Locker data leak site were greeted by a banner indicating that the site had been seized as part of the coordinated action against the group. The site, accessible via the TOR network, was used to publicly reveal the group’s new targets, intensifying the pressure on companies to pay up. If victims did not comply with the ransom demand, their data was posted on the “Wall of Shame” leak site.
The emergence and tactics of the Ragnar Locker ransomware group
Ragnar Locker, sometimes called Ragnar_Locker or simply RagnarLocker, first appeared on the cybercrime scene in late December 2019. Unlike many ransomware groups that operate on a Ransomware-as-a-Service(RaaS) model, Ragnar Locker chose a different path. They operated semi-privately, refraining from openly recruiting affiliates. Instead, they collaborated with external penetration testers to infiltrate and compromise networks.
This unique operating model enabled the group to target high-profile entities, including computer chip manufacturer ADATA, aviation company Dassault Falcon and Japanese gaming company Capcom. In 2021 in France, notorious victims include IT equipment retailer LDLC and French ocean freight company CMA-CGM. Ragnar Locker, known for attacking mainly large corporations, has claimed no fewer than 168 victims worldwide, with ransom demands ranging from $5 million to $70 million.
Increased international cooperation and constant vigilance
The rise of groups such as Ragnar Locker highlights the need for greater international cooperation in the face of cybercrime. As cyberthreats intensify and become more complex, coordinated action is essential to ensure a secure digital environment for all. Recent advances against the Ragnar Locker ransomware group illustrate the potential of international collaboration. While the threat of cybercrime remains, the resilience and determination of international law enforcement gives hope for a safer digital world. It is crucial for users to remain vigilant and guard against ransomware to ensure the security of their data.
