Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group’s dark web sites in a joint international operation.
Authorities from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States were part of this international operation targeting the Ragnar Locker ransomware gang.
In Spain, Latvia, and the Czech Republic, police agents have also raided multiple locations believed to be connected to other Ragnar Locker suspects.
The Ragnar Locker ransomware gang is believed to have carried out attacks against 168 international companies globally since 2020.
“In an action carried out between 16 and 20 October, searches were conducted in three different countries and in total six suspects were heard in the Czech Republic, Spain, Latvia and France. Furthermore, nine servers were taken down; five in the Netherlands, two in Germany and two in Sweden,” Europol said today.
“At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”
“One of the developers of the malicious software was detained in France,” the Ukrainian cyberpolice added in a separate statement.
This joint operation marks the third action taken against the same ransomware gang. In September 2021, coordinated efforts involving French, Ukrainian, and US authorities led to the arrest of two suspects in Ukraine.
Subsequently, in October 2022, another suspect was apprehended in Canada through a joint operation conducted by French, Canadian, and US law enforcement agencies.
“The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries supporting the investigation,” Europol said.
“Eurojust set up a coordination centre during the action week to enable rapid cooperation between the judicial authorities involved.”
The joint action also led to cryptocurrency seizures and the ransomware operation’s Tor negotiation and data leak sites being seized on Thursday.
“This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group,” a banner displayed on Ragnar Locker’s data leak site reads.
The Ragnar Locker (also known as Ragnar_Locker and RagnarLocker) ransomware operation surfaced in late December 2019 when it started targeting enterprise victims worldwide.
In contrast to many modern ransomware gangs, Ragnar Locker did not operate as a Ransomware-as-a-Service, where affiliates are recruited to breach targets’ networks and deploy the ransomware in exchange for a share of the revenue.
Instead, Ragnar Locker operated semi-private, as they didn’t actively recruit affiliates, choosing to collaborate with external penetration testers to breach networks.
Ragnar Locker’s list of previous victims includes prominent entities such as computer chip manufacturer ADATA, aviation giant Dassault Falcon, and Japanese game maker Capcom.
According to the FBI, this ransomware has been deployed on the networks of at least 52 organizations across various critical infrastructure sectors in the United States since April 2020.