TrollEye Security

International Law Enforcement Shuts Down Ragnar Locker's Tor Sites

International law enforcement agencies seized the Tor negotiation and data leak sites operated by the Ragnar Locker ransomware group on October 19th. This decisive action disrupted the ransomware operation’s mechanisms, showcasing a significant win in the battle against digital criminal enterprises.

International Coalition Against Cybercrime

The seizure saw a large contingent of law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, and Latvia coming together in a coordinated effort against the Ragnar Locker group. A visit to the seized websites now displays a message affirming the law enforcement action against the group. Europol confirmed the legitimacy of this operation, hinting at a forthcoming press release to provide more details on the international endeavor aimed at neutering the Ragnar Locker ransomware operation.

The Insidious Legacy of Ragnar Locker

Since its inception at the end of 2019, Ragnar Locker has been an eminent threat in the cybersecurity realm, particularly targeting enterprises. The modus operandi involved breaching corporate networks, spreading laterally to harvest and encrypt data. The encrypted files and exfiltrated data were then utilized in double-extortion schemes to coerce victims into paying ransoms.

Unlike many contemporary ransomware operations that adopt a Ransomware-as-a-Service (RaaS) model, Ragnar Locker operated semi-privately. Rather than recruiting affiliates openly, the group collaborated with external pentesters to infiltrate networks. Additionally, Ragnar Locker has been known for pure data theft attacks, bypassing encryption to directly extort victims using the stolen data.

A Shift in Tactics and Potential Offshoots

Recent reports from cybersecurity researchers like MalwareHunterTeam indicate a tactical shift, with Ragnar Locker adopting a VMware ESXi encryptor, seemingly derived from Babuk’s leaked source code. Concurrently, a new ransomware operation named DarkAngels has been observed using Ragnar Locker’s original ESXi encryptor in an attack on industrial behemoth Johnson Controls. The relationship between DarkAngels and Ragnar Locker remains nebulous – whether it’s an offshoot, a rebranding, or merely a purchase of the source code is yet to be ascertained.

Ragnar Locker’s extensive illicit portfolio includes high-profile attacks on entities like Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium, marking them as a significant player in the ransomware arena. The seizure of their Tor sites not only marks a setback for Ragnar Locker but also a beacon of hope for law enforcement and cybersecurity endeavors.

The action against Ragnar Locker coincides with another proactive measure where the Ukrainian Cyber Alliance disrupted the Trigona Ransomware operation, retrieving data before erasing their servers. Such concerted efforts exhibit a rising tide of resistance against ransomware operations, bringing a glimmer of hope to an otherwise grim digital extortion landscape.

As law enforcement agencies and cybersecurity communities galvanize their resources and intelligence, the fight against ransomware is gaining momentum. The seizure of Ragnar Locker’s Tor sites epitomizes the potential of international cooperation in dismantling the structures that empower digital extortionists, paving the path towards a more secure digital ecosystem.

Thank you for reading this article, if you would like to learn more about TrollEye Security’s Services, click here.