Pierluigi Paganini October 20, 2023

A joint international law enforcement investigation led to the arrest of a malware developer who was involved in the Ragnar Locker ransomware operation.

Yesterday we became aware of a joint law enforcement operation that led to the seizure of the Ragnar Locker ransomware’s infrastructure. The police on Thursday seized the Tor negotiation and data leak sites, group’s infrastructure was located the Netherlands, Germany and Sweden.   

The police arrested a malware developer who was involved in the Ragnar Locker ransomware operation.

The ransomware operation has been active since late December 2019, the FBI published two flash alerts to warn of the operation of the group.

In March 2022, the US Federal Bureau of Investigation (FBI) and CISA published a flash alert to warn that the Ragnar Locker ransomware gang breached the networks of at least 52 organizations across 10 critical infrastructure sectors.

“In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days.” reads the press release published by Europol. “At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”

A distinctive action of the Ragnar Locker gang was to explicitly warn their victims against contacting law enforcement, threatening to publish all the stolen data.

The investigation started back in October 2021, at the time investigators from the French Gendarmerie and the US FBI, along with experts from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, leading to the arrest of two prominent Ragnar Locker operators. 

“This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.” said the Head of Europol’s European Cybercrime Centre, Edvardas Šileris.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ragnar Locker ransomware)