Ragnar Locker attacks Citizen Systems Europe

Incident Date:

September 14, 2023

World map



Ragnar Locker attacks Citizen Systems Europe


Citizen Systems Europe




Staines-Upon-Thames, United Kingdom

Surrey, United Kingdom

First Reported

September 14, 2023

Ragnar Locker Ransomware Gang Attacks Citizen Systems Europe

The Ragnar Locker ransomware gang has attacked Citizen Systems Europe. Citizen Systems Europe is a prominent company specializing in printing and imaging solutions. As a subsidiary of Citizen Systems Japan Co., Ltd., it serves as the European headquarters for the Citizen group's printer business. With its base in the United Kingdom, Citizen Systems Europe plays a pivotal role in managing and expanding the company's operations across Europe. Their focus is on delivering innovative printing solutions to cater to various industries and customer needs throughout the European market.

Ragnar Locker posted Citizen Systems Europe to its data leak site on September 14th but provided no further details.

RagnarLocker's Modus Operandi

RagnarLocker is not a traditional RaaS. They first emerged in December of 2019 and were assessed to be related to or working in cooperation with Maze and MountLocker operators. RagnarLocker typically compromises victim networks through vulnerable Remote Desktop Protocol (RDP) software, a common ransomware technique. RagnarLocker was increasingly active in 2022, but attack volume has dripped off significantly in Q1-2023.

RagnarLocker ransom demands vary and have been observed to exceed $10 million. Ragnar Locker has both Windows and Linux versions that actively detect and bypass security tools on the targeted network, as well as scanning for virtual-based machines, and any remote management solutions. IT encrypts with a custom Salsa20 algorithm and has been observed terminating services that managed service providers (MSPs) to remotely protect and manage customer networks.

RagnarLocker is opportunistic and is assessed to target based on a victim’s ability to pay large ransom demands, focusing on the manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker engages in data exfiltration for double extortion and maintains a leaks site called “Wall of Shame.” RagnarLocker will delete VSS Shadow Copies to thwart encryption rollback.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.