Article Details
Scrape Timestamp (UTC): 2023-10-19 14:42:49.708
Original Article Text
Click to Toggle View
Ragnar Locker ransomware’s dark web extortion sites seized by police. The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation. BleepingComputer has confirmed that visiting either website now displays a seizure message stating that a large assortment of international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, and Latvia were involved in the operation. "This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group," reads the message. A Europol spokesperson has confirmed the seizure message is legitimate as part of an ongoing action targeting the Ragnar Locker ransomware gang and that a press release will be published tomorrow. Who is Ragnar Locker Ragnar Locker (aka Ragnar_Locker and RagnarLocker) is one of the longest-running ransomware operations at this time, launching at the end of 2019 as they began targeting the enterprise. Like other ransomware operations, Ragnar Locker would breach corporate networks, spread laterally to other devices while harvesting data, and then encrypt the computers on the network. The encrypted files and stolen data were used as leverage in double-extortion schemes to pressure a victim to pay. However, unlike most modern operations, Ragnar Locker was not considered a Ransomware-as-a-Service that actively recruited outside affiliates to breach networks and deploy the ransomware, earning a revenue share in the process. Instead, Ragnar Locker was semi-private, meaning they did not actively promote their operation to recruit affiliates but worked with outside pentesters to breach networks. The ransomware gang also conducts pure data theft attacks rather than deploying an encryptor, using their data leak site to extort the victim. Strangely, a new ransomware operation named DarkAngels was seen utilizing the Ragnar Locker ESXi encryptor in an attack on Industrial giant Johnson Controls. It is unclear if this new operation is an offshoot of Ragnar Locker, or a rebrand. The ransomware operation is responsible for numerous high-profile attacks over the years, including Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium.
Daily Brief Summary
International law enforcement, including agencies from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, and Latvia, seized Tor negotiation and data leak sites run by the Ragnar Locker ransomware group.
The seizure was confirmed by a Europol spokesperson, who stated that a press release would be provided to further document the action against the long-standing cyber criminal operation.
Running its operation since the end of 2019, Ragnar Locker is one of the longest-running ransomware operations which has targeted multiple high-profile entities.
The group uses a double-extortion technique, breaching corporate networks, extracting data, and encrypting files. The stolen and encrypted data is then used as leverage to pressure victims into paying a ransom.
Unlike the typical Ransomware-as-a-Service model, Ragnar Locker's operation is described as semi-private, not actively recruiting affiliates but working with outside pentesters to breach networks.
The operation is also known for conducting pure data theft attacks, rather than deploying encryptors, using its data leak site to further extort its victims.
Recent activities suggest that a new ransomware operation, DarkAngels, is using the Ragnar Locker ESXi encryptor in its attacks, although the connection between the two operations is yet to be confirmed.