An international coalition of police forces has taken the leak sites of the ransomware gang RagnarLocker offline. This criminal organization has been targeting government agencies, healthcare facilities and large corporations, among others, since at least 2020.
The group has mainly targeted organizations in North America and Europe. The police forces that took down the leak sites are also predominantly from these areas. The Dutch Police, Europol, the FBI and Eurojust were among those involved.
Tip: How do the RagnarLocker cybercriminals operate?
RagnarLocker is both the hacker group’s name as well as the malware it deploys. In April, Israeli cybersecurity firm Sygnia analyzed how the group operated: it deployed the infamous tactic of stealing and encrypting data after infiltration, which earned the criminals millions. For example, travel company CWT reportedly paid $4.5 million to get its data back. RagnarLocker also hit at least 52 institutions in America across 10 sectors concerning critical infrastructure. Some security experts see a link to the Russian state in RagnarLocker’s operations.
Orange Cyberdefense’s Jort Kollerie says the takeover of RagnarLocker’s Tor websites are a “crucial step, because it’s one of the oldest ransomware groups.” The action is made even more important by the fact the group has “consistently remained active. This is unusual because of the fast-moving changes in the ransomware ecosystem,” says Kollerie.
Has RagnarLocker been eliminated?
Successfully taking down the leak site prevents the data of victimized organizations from quickly coming online. However, Erich Kron of KnowBe4 told SiliconANGLE that the police action may be “no more than an inconvenience” for the criminals. After all, the gang can still release information through other websites. In addition, he argues that duped organizations may now face more difficulty in their recovery efforts. For example, decryption keys may also have been lost in the operation. In addition, unencrypted data could still be in the hands of the RagnarLocker criminals.
Similar actions by police departments have taken place earlier this year. Not only was the criminal marketplace Genesis Market busted, arrests of Genesis suspects worldwide took place at the same time. Nothing of this nature was disclosed this time, although the link to Russia seems to reduce the chances of being caught.
Also read: Genesis Market: how did it operate and how was it taken down?