Ragnar Locker ransomware site taken down by FBI, Europol

The leak site of the prolific ransomware gang Ragnar Locker was replaced with a takedown notice from the FBI, Europol and several law enforcement agencies in Europe on Thursday.

In a statement to Recorded Future News, a Europol spokesperson said they cannot release more information about the operation because “a number of actions are still ongoing.”

“I can confirm that Europol is part of an ongoing action against this ransomware group,” Europol deputy spokesperson Claire Georges said. “A communication is planned for tomorrow afternoon when all the actions have been finalised.”

An FBI spokesperson declined to comment about the operation. If confirmed, this would be the latest in a string of ransomware gang takedowns this year — the Hive group notably had their infrastructure disrupted in January.

The FBI reported that from April 2020 to March 2022, the Ragnar Locker ransomware was responsible for attacks on at least 52 entities across 10 critical infrastructure sectors, including companies involved in manufacturing, energy, financial services, government, and information technology sectors.

Since 2019, the group has used the double extortion tactic — freezing access to systems and threatening to release stolen data — to extract as much money out of victims.

The group has made waves over the years with several high-profile victims, including the largest airline in Portugal, a large Israeli hospital, Greece’s national natural gas operator and most recently corporate travel management firm Carlson Wagonlit Travel.

Emsisoft ransomware expert Brett Callow said Ragnar Locker has been active for a number of years, and is probably one of the longest running brands.

“While this disruption will likely not have a significant impact on the ransomware landscape, it’s nonetheless another win for the good guys,” he said.

The FBI and European law enforcement agencies most recently took action against Qakbot — one of the most prolific and longest-running botnets. It had become the initial access method of choice for multiple high-profile ransomware gangs, including REvil, Black Basta, Conti, Egregor and MegaCortex.

Several other criminal marketplaces, cybercriminal infrastructure organizations and distributed denial-of-service (DDoS) attack platforms have also been dismantled by law enforcement agencies this year.