The group were responsible for numerous high-profile attacks against critical infrastructure across the world. In a law enforcement action coordinated at the international level by Europol and Eurojust, the ransomware’s infrastructure was seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.
The action was carried out between October 16th to 20th. Searches were also conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris on October 16, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days.
By the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, had been brought before the examining magistrates of the Paris Judicial Court.
This international sweep followed a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America.
In the framework on this investigation, a first round of arrests were carried out in Ukraine in October 2021 with Europol’s support.
The nature of the threat
According to Europol, the ransomware strain and the criminal group which developed and operated (both called Ragnar Locker), had been active since December 2019.
The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure across the world, most recently by attacking the Portuguese national communications carrier and a hospital in Israel.
How it worked
The ransomware targeted devices running Microsoft Windows operating systems and would typically exploit exposed services like Remote Desktop Protocol to gain access to the system.
The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen.
Ragnar Locker explicitly warned victims against contacting law enforcement, threatening to publish the stolen data of victimized organisations seeking help on its ‘Wall of Shame,’ a “dark web” leak site.
How the antipiracy operation played out
in October 2021, investigators from the French Gendarmerie and the US FBI, together with specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police.
Europol’s European Cybercrime Centre supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy, which led to the actions reported this week.
Its cybercrime specialists organised 15 coordination meetings and two week-long sprints to prepare for the latest actions, alongside providing analytical, malware, forensic and crypto-tracing support. A virtual command post was set up this week by Europol to ensure seamless coordination between all the authorities involved.
All of this led to the arrest of the two Ragnar Locker operators this week.
Participants in the antipiracy operation
The investigation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT). Authorities from eleven countries took part in the investigation:
- Czechia: National Counter-Terrorism, Extremism and Cybercrime Agency of Police of the Czech Republic
- France: National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale – C3N)
- Germany: State Criminal Police Office Sachsen (Landeskriminalamt Sachsen), Federal Criminal Police Office (Bundeskriminalamt)
- Italy: State Police (Polizia di Stato), Postal and Communication Police (Polizia Postale e delle Comunicazioni)
- Japan: National Police Agency (NPA)
- Latvia: State Police (Latvijas Valsts Policija)
- Netherlands: Police of East Netherlands (Politie Oost-Nederland)
- Spain: Civil Guard (Guardia Civil)
- Sweden: Swedish Cybercrime Centre (SC3)
- Ukraine: Cyberpolice Department of the the National Police of Ukraine (Національна поліція України)
- United States: Atlanta Field Office of the Federal Bureau of Investigation
Europol’s original press release
Ragnar Locker ransomware gang taken down by international police swoop. Press release. October 20, 2023. Europol
Why it matters
“This investigation shows that once again international cooperation is the key to taking ransomware groups down,” said Edvardas Šileris, The Head of Europol’s European Cybercrime Centre. “Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.