The dark web site that the RagnarLocker ransomware group used for naming and shaming victims was seized on Thursday as part of a coordinated law enforcement effort.
Active since 2020, RagnarLocker has been involved in numerous attacks, with at least 52 entities across 10 critical infrastructure sectors falling victims to this ransomware family, according to data from the Federal Bureau of Investigation (FBI).
Unlike other ransomware operations, RagnarLocker was not promoted as ransomware-as-a-service, but was operated by a private group that cooperated with other cybercriminals only when needed.
On the infected machines, RagnarLocker would gather and exfiltrate system information, iterate through all drives, terminate services that could interfere with the encryption process, and then encrypt all files of interest, avoiding folders and files that might impede the systems operation.
The same as other ransomware groups, the RagnarLocker cybergang would exfiltrate victims’ data to use it for extortion. In some cases, the group would only steal data for extortion, without deploying file-encrypting ransomware.
The cybergang then listed the alleged victims of its attacks on a Tor-hosted leak site, threatening to release it publicly unless a ransom was paid.
Starting Thursday, a message displayed in English on the RagnarLocker ransomware operation’s Tor-based website informs visitors that “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”
Authorities in a dozen countries were involved in this effort, including law enforcement agencies in France, Germany, Italy, Latvia, the Netherlands, Slovakia, Spain, and the US, coordinated by Europol.
This year, law enforcement operations also led to the shutdown of other nefarious dark web site, including the Hive ransomware portal in January, the Genesis Market cybercrime marketplace in April, and the drugs marketplace Piilopuoti in September.
Related: Deep Dive Into Ragnar Locker Ransomware Targeting Critical Industries
Related: Law Enforcement Blowback Powering Anti-Ransomware Success
Related: Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Related: Feedback Friday: Industry Reactions to Hive Ransomware Takedown