News Hub

Europol arrests suspected developer of Ragnar Locker ransomware group

Written by Wed 25 Oct 2023

The EU’s law enforcement agency, Europol, has arrested a key target in the Ragnar Locker ransomware group. 

The international law enforcement action was carried out between 16 and 20 October by Europol and Eurojust.

The key target of the ransomware group was arrested in Paris on 16 October. His home in Czechia was subsequently searched. The suspected developer of Ragnar group was brought before examining magistrates at Paris Judicial Court.

Five individuals suspected to be a part of the group were also interviewed in Spain and Latvia.

“I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence,” said Edvardas Šileris, Head of the European Cybercrime Centre at Europol.

The ransomware group’s infrastructure was seized in the Netherlands, Germany, and Sweden. Its Tor-based data leak website was also shut down in Sweden. Tor, also known as The Onion Router, is an open source privacy network that enables anonymous web browsing.

French authorities are set to conduct a criminal investigation involving several offenses, including unauthorised access to computer systems, unauthorised data input and substitution in computer systems, disruption of the operation of computer systems, extortion as part of an organised criminal group, and money laundering as part of an organised criminal group.

These actions are in violation of specific articles within the Criminal Code of France.

“This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims,” added Šileris.

The global operation resulted from an investigation led by the French National Gendarmerie. The police force operated in collaboration with law enforcement agencies from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States.

Europol’s cybercrime specialists organised 15 coordination meetings and two-week long sprints to prepare for the latest actions. This operated in tandem with the European law enforcement agency providing analytical, malware forensic, and crypto tracing support.

History of the Investigation

In October 2021, investigators from the French Gendarmerie, the United States FBI, and specialists from Europol and INTERPOL were sent to Ukraine for investigative purposes.

This effort led to the arrests of two significant Ragnar Locker operators in 2021. The arrests were made in collaboration with the Ukrainian National Police.

The European law enforcement agency acted as the foundation of the investigation by bringing together the involved countries to establish a joint strategy.

What is Ragnar Locker and how Does it Operate?

Created in December 2019, Ragnar Locker is both the name of a ransomware strain and criminal group that developed it.

The strain of ransomware Ragnar Locker targeted devices running Microsoft Windows operating systems. It would usually exploit exposed services like Remote Desktop Protocol (RDP) to gain access to the system.

RDP allows a user to connect to and control another computer or server over a network or the internet. With RDP, a user can access a remote computer’s desktop, run applications, and perform tasks as if they were physically operating the computer.

“The organisers clearly divided the responsibilities between the group members. Individual members were responsible for gathering information and finding vulnerabilities in the victims’ cybersecurity architecture,” said the Cyber Police of Ukraine.

Individual members then transferred the collected information to accomplices with computer programming skills. The latter were responsible for creating and modifying malicious software in order to further damage a specific company.

Ragnar Locker attacked critical infrastructure around the world. Most recently, the group claimed attacks against Mayanei Hayeshua Medical Centre in Bnei Brak and TAP Air Portugal’s systems.

In 2022, the FBI found that the group had breached the networks of at least 52 organisations across 10 critical infrastructure sectors, including critical manufacturing, energy, financial services, government, and information technology sectors.

Cyber Police of Ukraine said since 2020, perpetrators of Ragnar Locker have attacked 168 companies in Europe and America since 2020 using the Ragnar ransomware malware. This included the drinks brand Campari who refused to pay the £12.3 million ($15 million) to retrieve its stolen data.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Wed 25 Oct 2023

Send us a correction Send us a news tip