RagnarLocker Ransomware Seized by Law Enforcement

What is Ragnar Locker?

Ragnar Locker (aka Ragnar_Locker and RagnarLocker) is one of the longest-running ransomware operations at this time, launching at the end of 2019 as they began targeting the enterprise.

Like other ransomware operations, Ragnar Locker would breach corporate networks, spread laterally to other devices while harvesting data, and then encrypt the computers on the network.

The encrypted files and stolen data were used as leverage in double-extortion schemes to pressure a victim to pay.

However, unlike most modern operations, Ragnar Locker was not considered a Ransomware-as-a-Service that actively recruited outside affiliates to breach networks and deploy the ransomware, earning a revenue share in the process.

Instead, Ragnar Locker was semi-private, meaning they did not actively promote their operation to recruit affiliates but worked with outside penetration testers to breach networks.

The ransomware gang also conducts pure data theft attacks rather than deploying an encryptor, using their data leak site to extort the victim.

Law Enforcement Seizure

The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thusrsday morning (October 19th 2023) as part of an international law enforcement operation.

Visiting the website now displays a seizure message stating that a large assortment of international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia were involved in the operation.

"This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group," reads the message.

A Europol spokesperson has confirmed the seizure message is legitimate.

This is a win for law enforcement and cyber-security as a whole.

How can my Company Protect Itself from Ragnar_Locker?

The best advice is to follow the recommendations on on how to protect your organization from other ransomware. Those include:

• Making secure offsite backups.

• Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.

• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.

• Encrypting sensitive data wherever possible.

• Reducing the attack surface by disabling functionality which your company does not need.

• Educating and informing staff about the risks and methods used by cyber-criminals to launch attacks and steal data.

References

• https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/

• https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop

• https://www.malwarebytes.com/blog/news/2023/10/ragnar-locker-taken-down

• https://www.sentinelone.com/anthology/ragnar-locker/