Law Enforcement Seize Ragnar Locker Ransomware’s Extortion Websites


October 19, 2023

World map

An international law enforcement operation coordinated between authorities in the US, EU, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic and Latvia seized the negotiation and data leak sites of the Ragnar Locker Ransomware gang.

“BleepingComputer has confirmed that visiting either website now displays a seizure message stating that a large assortment of international law enforcement from the  were involved in the operation,” BleepingComputer reports.

“A Europol spokesperson has confirmed the seizure message is legitimate as part of an ongoing action targeting the Ragnar Locker ransomware gang and that a press release will be published tomorrow. The FBI declined to comment.”

Takeaway: RagnarLocker is not a traditional RaaS. They first emerged in December of 2019 and were assessed to be related to or working in cooperation with Maze and MountLocker operators.  

RagnarLocker was increasingly active in 2022, but attack volume dripped significantly in the first half of 2023. RagnarLocker ransom demands vary and have been observed to exceed $10 million.

RagnarLocker was opportunistic and was assessed to target based on a victim’s ability to pay large ransom demands, focusing on the manufacturing, energy, financial services, government, and information technology sectors.

RagnarLocker typically compromised victim networks through vulnerable Remote Desktop Protocol (RDP) software, a common ransomware technique.  

Ragnar Locker had both Windows and Linux versions that actively detected and bypassed security tools on the targeted network, as well as scanning for virtual-based machines and any remote management solutions.  

It encrypts with a custom Salsa20 algorithm and has been observed terminating services that managed service providers (MSPs) to remotely protect and manage customer networks.

Good riddance... is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.