Joint operation dismantles Ragnar Locker ransomware group

A joint operation between police forces and judicial authorities from 11 countries has dealt a serious blow to the group responsible for the Ragnar Locker ransomware, considered one of the most dangerous organizations in recent years. Coordinated by Europol and Eurojust, the action led to the arrest of the alleged creator of the ransomware, known as "key target", in Paris. The searches were carried out in the Czech Republic, Spain and Latvia, while in the Netherlands, Germany and Sweden the infrastructure used by the group to carry out the attacks was confiscated. Tor data leak site blocked in Sweden. The international collaboration that led to the operation involves France, the Netherlands, Spain, Germany, Ukraine, the United States, Japan, Italy, Sweden, the Czech Republic and Latvia.

The infamous Ragnar Locker: operation and objectives

Ragnar Locker is a ransomware that has been active since December 2019 and is both the name of the malicious code and the criminal group responsible. Known for attacks on critical infrastructure around the world, the group's recent targets include Portugal's national airline and a hospital in Israel. This ransomware targeted devices running the Microsoft Windows operating system, primarily exploiting exposed services such as the Remote Desktop Protocol to access systems. Ragnar Locker was famous for double extortion: he demanded exorbitant payments to release the decryption tools and to prevent the publication of the stolen sensitive data. Given the group's propensity to attack critical infrastructure, Ragnar Locker's threat level was considered high.

Ragnar Locker's harsh response to the authorities

In an ironic parody of communications, Ragnar Locker placed warnings directly to his victims, advising them against contacting law enforcement and threatening to publish all stolen data on his "Wall of Shame" Dark Web site. “All the FBI and ransomware negotiators/investigators do is complicate things, so we will publish your data if you ask for help,” the group's announcement read. What Ragnar Locker didn't know was that the forces of law and order were about to close in around them. In October 2021, investigators from the French Gendarmerie and the US FBI, supported by Europol and INTERPOL, were sent to Ukraine to implement investigative measures with the Ukrainian National Police, which led to the arrest of two prominent members of the group Ragnar Locker.

International collaboration to fight ransomware

The investigation coordinated by Eurojust began in May 2021 at the request of the French authorities. The enormous international cooperation effort involved several police forces and judicial agencies, including the French Gendarmerie, the US FBI, Europol and INTERPOL. The goal was to establish a common strategy to dismantle the Ragnar Locker group and bring those responsible for these criminal attacks to justice. In support of the authorities involved, Europol provided analytical, technical and forensic support, creating a virtual command to coordinate the action of all agencies. The operation against Ragnar Locker sends a strong message to ransomware operators who think they can act with impunity: international cooperation is key to combating these organizations, and each case helps us improve our investigation models and understanding of these threats.