October 19, 2023 at 10:43AM
Law enforcement agencies from multiple countries have seized the Tor negotiation and data leak sites of the Ragnar Locker ransomware operation. The seized websites now display a message confirming the coordinated law enforcement action and the involvement of agencies from the US, Europe, and other countries. Europol has confirmed the seizure and will release a press release tomorrow. Ragnar Locker is a long-running ransomware operation that targeted enterprises by breaching networks, encrypting files, and stealing data for extortion purposes. A new ransomware operation called DarkAngels appears to have used Ragnar Locker’s encryptor in an attack on Johnson Controls, but it is unclear if they are connected. Ragnar Locker has been responsible for several high-profile attacks, including on EDP, Capcom, Campari, and others.
Based on the meeting notes, it seems that the Tor negotiation and data leak sites operated by the Ragnar Locker ransomware group have been seized by law enforcement. International law enforcement agencies from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, and Latvia were involved in the operation. The seizure message confirms that it was part of a coordinated action against Ragnar Locker.
Ragnar Locker is a long-running ransomware operation that started in late 2019, primarily targeting enterprises. They would breach corporate networks, spread to other devices, encrypt the computers, and then use the encrypted files and stolen data to pressure victims into paying. Unlike other ransomware operations, Ragnar Locker did not actively recruit affiliates but worked with outside pentesters to breach networks. They also conducted data theft attacks and used a data leak site for extortion.
In a recent attack on Johnson Controls, a new ransomware operation named DarkAngels was observed using Ragnar Locker’s ESXi encryptor. It is uncertain whether DarkAngels is an offshoot of Ragnar Locker or a rebranding. Ragnar Locker has been associated with various high-profile attacks, including those on Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp in Belgium.