Germany seizes leak site of ‘Vanir’ ransomware operation

German law enforcement has taken down some of the infrastructure used by a ransomware group deploying a new strain of malware in a small number of attacks. 

Officials in the city of Karlsruhe and state of Baden-Württemberg said they took over the leak site used by hackers deploying the Vanir Locker ransomware.

The site emerged in July when the group posted three victims, including a company based in Germany. 

The Karlsruhe Public Prosecutor's Office and the Baden-Württemberg State Criminal Police Office said they have been investigating members of the operation since June.

“In August 2024, investigators managed to identify the server of a site in the so-called TOR network. The group has announced that it will publish the data obtained from the affected companies on this site,” they said. 

“Today, the perpetrators' TOR page was taken over by the State Criminal Police Office on behalf of the Cybercrime Center and redirected to a blocked page. By blocking the page, the data stolen by the perpetrators can no longer be published on their TOR page.”

The officials did not respond to requests for comment about whether arrests were made or if the German company listed on the leak site was affected by a ransomware attack. In their statement, they said the investigation “into the identity of the perpetrators is ongoing.”

Some researchers said they believe the group has ties to the Akira ransomware operation due to similarities in the leak site stylization. 

Experts at HackManac, which monitors dark web posts, said Vanir is an Eastern European group “composed of former affiliates from groups like Karakurt, LockBit, and Knight ransomware.”

The leak site takedown highlights the frustrating game of whack-a-mole law enforcement agencies around the world continue to go through as they seek to address ransomware. 

The inability to arrest ransomware affiliates and developers — because so many are located in Russia and other countries that provide them cover — allows them to simply regroup and create new strains.

Many of the affiliates involved with now-defunct groups like LockBit and AlphV have moved on to conducting attacks on behalf of other groups like RansomHub.