“Key target” of Ragnar Locker ransomware operation arrested in Paris


A “key target” allegedly involved in the Ragnar Locker ransomware group was arrested in Paris on Monday, according to Europol officials.

THE announcementreleased Friday, is the first official word from law enforcement after the gang’s escape site was replaced by a banner displaying the insignia of several agencies on Thursday.

Europol said police and judicial authorities from 11 countries coordinated to carry out several raids aimed at eliminating the group.

The political agency said that in addition to the unnamed person arrested in Paris on October 16, his home in Czechia was searched and five people in Spain and Latvia were questioned last week.

Rangar Locker has been operational since December 2019, attacking several major targets since 2020, including the the largest airline in Portugala big Israeli hospital and the national natural gas operator of Greece.

“At the end of the week of action, the main perpetrator, suspected of being a developer of the Ragnar group, was brought before the investigating judges of the Paris judicial court,” Europol officials said. . “The ransomware infrastructure was also seized in the Netherlands, Germany and Sweden, and the associated data leak website on Tor was taken down in Sweden.”

The French National Gendarmerie led the investigation with law enforcement agencies from the Czech Republic, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and of the United States, Europol said.

Ragnar Locker was responsible for “numerous high-profile attacks on critical infrastructure around the world,” according to Europol. Officials noted that a first wave of arrests the targeting of the group took place in October 2021 in Ukraine.

Ukrainian officials said Friday that the group is responsible for at least 168 ransomware attacks and noted that it had a detailed organizational structure in which researchers looked for vulnerabilities and passed them on to more experienced hackers who deployed the ransomware.

Searches were also carried out in kyiv “on the premises of one of the members of the group”, Ukrainian officials said. Police seized laptops, cell phones, etc.

Ukrainian officials added that the person arrested in France now faces a series of charges related to several crimes including computer hacking, extortion, money laundering and participation in criminal operations.

Double extortion

Europol said Ragnar Locker is the name of both the ransomware strain and the criminal group that developed and operated the malware.

The gang targeted the Microsoft Windows operating system, typically exploiting exposed services such as Remote Desktop Protocol. It was well known for its double extortion, in which hackers demanded ransoms for decrypting data and also for not disclosing the stolen information.

“The threat level of Ragnar Locker was considered high, given the group’s propensity to attack critical infrastructure,” Europol said, noting that the group threatened to publish stolen information from any victims contacting security forces. ‘order.

“They didn’t know that the police were closing in on them. In October 2021, investigators from the French Gendarmerie and the US FBI, as well as specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, which led to the arrest of two prominent Ragnar Locker operators.

Law enforcement agencies from participating countries analyzed the group’s malware, conducted forensic investigations into the group’s attacks, and traced cryptocurrency payments made to the gang. The first criminal case with Eurojust was initiated in May 2021 by the French authorities.

“This investigation shows that once again, international cooperation is the key to taking down ransomware groups. Prevention and security are improving, but ransomware operators continue to innovate and find new victims,” said Edvardas Šileris, Director of the European Cybercrime Center at Europol.

“Europol will play its role in supporting EU member states when they target these groups, and each case helps us improve our investigation methods and our understanding of these groups. I hope this series of arrests sends a strong message to ransomware operators who believe they can continue their attacks without consequences. »

Recorded Future ransomware expert Allan Liska said Ragnar Locker is “one of the oldest continuously operating ransomware groups” and noted its attacks against dozens of large and small organizations around the world .

They have also been linked to the cybercriminal organization known as FIN8 in the past, Liska said, echoing research carried out by several cybersecurity companies showing the connections between the two.

The arrests linked to the takedown of the Ragnar Locker leak site represented a stark contrast to the latest law enforcement operation focused on ransomware. In January, several agencies removed infrastructure linked to the Hive ransomware group but did not announce any arrests. Researchers discovered this week that The hive reforms and start working on another cybercriminal project.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment