International Operation Dismantles Ragnar Locker Ransomware Group

Ransomware operators are elusive, but cybersecurity defenders recently had another win in the fight against cybercrime. Europol, the European Union’s law enforcement agency, and Eurojust, the EU Agency for Criminal Justice Cooperation, coordinated an international law enforcement action to take down the Ragnar Locker ransomware group.

What does this takedown mean for the outlook on ransomware and its potential victims?

Ragnar Locker Ransomware Group

Ragnar Locker has been active since December 2019, according to the Europol report on the takedown. While some other ransomware groups active today will cast a wide net for victims, this group took a more targeted approach.

“Ragnar Locker appeared to be a little more picky, and they hit companies most often in the industrial vertical, but companies that were viewed as critical [in] nature that would most likely result in a ransom payment, not just any small- or medium-size business that they could get into,” says Andi Ursry, cyber threat intelligence analyst at Optiv, a cybersecurity advisory and solutions company.

In September, Ragnar Locker claimed to have breached airline TAP Air Portugal, Dark Reading reports. In the same month, it also claimed responsibility for an ransomware attack on an Israeli hospital. The group stole and leaked personal data.

Related:The Cost of a Ransomware Attack, Part 1: The Ransom

Ragnar Locker also differs from many other ransomware players in another way, according to Ursry. “Unlike most of the groups that we see today, they don't operate as a ransomware as a service. It was either one actor or one small group that chose very select third parties to work with,” she says.

Europol also notes that the ransomware group was known for warning its victims not to turn to law enforcement for help, threatening to leak stolen data.

The Takedown

The case was first opened in May 2021. The takedown operation was a coordinated effort involving authorities from 11 countries, including the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States.

“We have been working on this case for many years. We have been bringing together the different countries affected by this ransomware group to try coordinating across borders to come up with a joint strategy,” says Claire Georges, deputy spokesperson with the Europol press office.

Those years of effort bore fruit. In October 2021, the first round of arrests within the framework of the investigation took place in Ukraine, according to Europol. In October of this year, law enforcement arrested a suspected Ragnar Locker developer in Paris. In addition to the arrests, law enforcement seized Ragnar Locker’s ransomware infrastructure in Germany, the Netherlands and Sweden. The group’s dark leak site was also taken down in Sweden.

Related:LockBit Redux: Ransomware Gang Demands $80M, Leaks CDW Data

International Cooperation

The action taken against Ragnar Locker is not the first of its kind. In August, a multinational operation dismantled Qakbot, a botnet that has been active in cybercrime since 2008.

At the beginning of 2023, the US Justice Department announced that it disrupted the Hive ransomware group. At the beginning of 2022, Russia’s Federal Security Service (FSB) announced that it arrested members of the REvil ransomware group; an action taken at the behest of the US government. Back in 2021, another multinational operation disrupted and took down the infrastructure of the malware and botnet Emotet.  

“It shows that these long running cooperative law enforcement operations are effective in taking down these groups that have for the last few years been seen as untouchable,” says Ursry.

While these victories are worth celebrating, the work is far from done. “We are already working on the other actors. A number of investigations are ongoing,” Georges shares.

An Ongoing Battle

Related:To Pay or Not to Pay? The Ransomware Dilemma

Continued investigation is necessary. Disrupting a ransomware group does not guarantee that some of the same players won’t regroup, rebrand, and emerge as a renewed threat.

“What I think is the unfortunate reality though is that we look at groups like Hive that had their own takedown, and they just recently went through the rebranding process. Now, they’re calling themselves Hunters International,” says Drew Schmitt, practice lead with the GuidePoint Research and Intelligence Team (GRIT) at cybersecurity consulting services company GuidePoint Security.

REvil also had a resurgence in 2022, Bleeping Computer reports.

Whether it is old players finding new ways to target victims, threat actors who have yet to be caught, or novel attackers emerging, ransomware remains a significant threat.

Schmitt acknowledges that a cloud of “doom and gloom” often hangs over the ransomware conversation, but he thinks that these large, multinational takedowns that have a tangible impact are a reason for hope.

“The more we can force them into having the conduct rebrands and having to hide themselves, the more work that it puts on their shoulders, which ultimately means hopefully less of a return on investment for what they're doing,” he says.

While law enforcement continues to seek ways to disrupt ransomware groups, enterprise leadership must remain vigilant. Government entities offer resources to help potential victims safeguard against and respond to ransomware.

For example, No More Ransom, a collaboration between Europol’s European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands’ police, Kaspersky and McAfee, aims to help ransomware victims retrieve encrypted data without paying threat actors. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) supports the Stop Ransomware initiative, which publishes technical information on ransomware variants and offers resources for preventing and responding to ransomware attacks.

“I think it's imperative that leaders are still preparing ahead of time and assuming that they could be the victim of ransomware, whether that's Ragnar Locker group or another group,” says Ursry.