Europol: ‘Key target’ in Ragnar Locker ransomware operation arrested in Paris

A “key target” allegedly involved with the Ragnar Locker ransomware group was arrested in Paris on Monday, according to officials at Europol.

The announcement, made Friday, is the first official word from law enforcement after the gang’s leak site was replaced with a banner featuring the insignias of several agencies on Thursday.

Europol said law enforcement and judicial authorities from 11 countries coordinated to conduct several raids intended to take down the group.

The policy agency said that in addition to the unnamed person arrested in Paris on October 16, that person’s home in Czechia was searched and five people in Spain and Latvia were interviewed in the last week.

Rangar Locker has operated since December 2019, attacking several major targets since 2020 including the largest airline in Portugal, a large Israeli hospital and the national natural gas operator of Greece.

“At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court,” Europol officials said. “The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.”

The French National Gendarmerie led the investigation with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the U.S., Europol said.

Ragnar Locker was responsible for “numerous high-profile attacks against critical infrastructure across the world” according to Europol. Officials noted that an initial round of arrests targeting the group occurred in October 2021 in Ukraine.

Ukrainian officials said on Friday that the group is responsible for at least 168 ransomware attacks and noted that they had a detailed organizational structure where researchers looked for vulnerabilities and passed them on to more experienced hackers who deployed the ransomware.

Raids were also conducted in Kyiv “in the premises of one of the members of the group,” the Ukrainian officials said. Police seized laptops, mobile phones and more.

Ukrainian officials added that the person arrested in France is now facing a range of charges tied to several hacking offenses, extortion, money laundering and participation in criminal operations.

Double extortion

Europol said Ragnar Locker is both the name of the ransomware strain and the criminal group that developed and operated the malware.

The gang targeted the Microsoft Windows operating system, typically exploiting exposed services like Remote Desktop Protocol. It was well-known for double-extortion —- where hackers demand ransoms for decrypting data and also for not releasing stolen information.

“The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure,” Europol said, noting that the group threatened to post the stolen information of any victims who contacted law enforcement.

“Little did they know that law enforcement was closing in on them. Back in October 2021, investigators from the French Gendarmerie and the US FBI, together with specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, leading to the arrest of two prominent Ragnar Locker operators.”

Law enforcement agencies from the participating countries analyzed the group’s malware, conducted forensic investigations of the group’s attacks and traced cryptocurrency payments made to the gang. The initial criminal filing with Eurojust was initiated in May 2021 by French authorities.

“This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre.

“Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.”

Recorded Future ransomware expert Allan Liska said Ragnar Locker is “one of the oldest continuously operating ransomware groups out there” and noted their attacks on dozens of large and small organizations around the world.

They have also been tied to the cybercriminal organization known as FIN8 in the past, Liska said, echoing research conducted by several cybersecurity firms showing ties between the two.

The arrests tied to the takedown of the Ragnar Locker leak site represented a stark contrast to the last ransomware-focused law enforcement operation. In January, several agencies took down infrastructure tied to the Hive ransomware group but did not announce any arrests. Researchers this week discovered that Hive is reforming and starting work on another cybercriminal project.