Table of Contents
Seizure of RagnarLocker Ransomware Dark Web Site
The dark web site that the RagnarLocker ransomware group used to name and shame its victims was seized as part of an international law enforcement operation. This operation was spearheaded by various global bodies including the Federal Bureau of Investigation (FBI). The seizure took place on Thursday and since then, visitors to the site are met with a message that reads, “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”
The Extent of RagnarLocker’s Actions
According to data provided by the FBI, RagnarLocker has been active since 2020 and has conducted multiple attacks affecting at least 52 entities across 10 critical infrastructure sectors.In addition to their ransomware activities, the group also engaged in cooperative efforts with other cybercriminals as needed. Features of this ransomware family include system information gathering, termination of interfering services, and encryption of files of interest while avoiding those that might hinder system operation.
The Global Collaborative Effort Against RagnarLocker
A total of twelve countries played a part in the effort to seize the RagnarLocker ransomware group's dark web site. This included law enforcement agencies from France, Germany, Italy, Latvia, the Netherlands, Slovakia, Spain, and the United States, amongst others. The operation was coordinated by Europol, a testament to the worldwide collaborative effort required to combat cybercrime. The operations conducted by RagnarLocker have served as a further reminder of the need for global cooperation in this digital age.
RagnarLocker’s Modus Operandi
The RagnarLocker ransomware group operated independently, having a unique approach of operation relative to other ransomware groups. Unlike many such operations that are advertised as ransomware-as-a-service, RagnarLocker operated as a private entity. This distinguished form of operation saw RagnarLocker working alone most of the time, instead of collaborating with other cybercriminals, unless when necessary.
Method of Infection and Encryption
Upon infecting a machine, the RagnarLocker ransomware was known to compile and extract critical system information. It would methodically browse through all drives, successfully terminating any services that could potentially disrupt the encryption process. Subsequently, RagnarLocker would proceed to encrypt all relevant files on the infected system. Specifically, the ransomware was programmed to avoid encrypting folders and files that might hinder the efficient functioning of the system.
Extortion Tactics
The RagnarLocker group used extortion as their key method to get ransom from their victims. In the attempt to put their victims on edge, the group exfiltrated data from the infected machines to use it as leverage. In a twist of operations, the group would, in some scenarios, exclusively steal data for extortion purposes without deploying the file-encrypting ransomware. The stolen information would be listed on a Tor-hosted leak site. RagnarLocker would then threaten to release this sensitive data to the public domain unless the besieged parties paid the ransom demanded.
International Law Enforcement Action Against RagnarLocker
Several international law enforcement agencies collaborated to stage a cooperative operation against the RagnarLocker ransomware group. This global action was aimed at disrupting the activities of the cybercriminal group and led to the seizure of the operation's Tor negotiation and data leak sites. Visitors to these sites are now met with a message informing them of the seizure. The message states, "This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group."
Participating Law Enforcement Agencies
The international law enforcement operation saw participation from numerous countries, reflecting the global nature of this cyber threat. Law enforcement agencies from France, Germany, Italy, the United States, Europe, Japan, Spain, the Netherlands, Czech Republic, and Latvia were reportedly involved in the targeted action against RagnarLocker. The overall coordination of the operation was under the purview of Europol, demonstrating a strong international collaboration in the battle against cybercrime.
Effects of the Operation
The coordinated effort disrupted the RagnarLocker ransomware group's activity by targeting multiple aspects of their operation. Most notably, the operation resulted in the seizure of the group's infrastructure in the Netherlands, Germany, and Sweden. Moreover, the group's Tor data leak website, which was hosted in Sweden, was also taken down. This comprehensive action against RagnarLocker reflects the seriousness of international law enforcement agencies in dealing with cyber threats and securing global cyber space.
Implications and Insight
The successful seizure of RagnarLocker's ransomware dark web site is a significant victory for international law enforcement. However, this event also underscores the increasing prevalence and range of cyberattacks worldwide. This is further evidenced by numerous cybercrime headlines, where disruptive events ranging from systems hacking to online fraud, are becoming worryingly commonplace.
