Europol: ‘Key goal’ in Ragnar Locker ransomware operation arrested in Paris

A “key goal” allegedly concerned with the Ragnar Locker ransomware group was arrested in Paris on Monday, in line with officers at Europol.

The announcement, made Friday, is the primary official phrase from regulation enforcement after the gang’s leak website was changed with a banner that includes the insignias of a number of companies on Thursday.

Europol stated regulation enforcement and judicial authorities from 11 international locations coordinated to conduct a number of raids supposed to take down the group.

The coverage company stated that along with the unnamed particular person arrested in Paris on October 16, that particular person’s residence in Czechia was searched and 5 folks in Spain and Latvia had been interviewed within the final week.

Rangar Locker has operated since December 2019, attacking a number of main targets since 2020 together with the biggest airline in Portugal, a big Israeli hospital and the nationwide pure gasoline operator of Greece.

“On the finish of the motion week, the principle perpetrator, suspected of being a developer of the Ragnar group, has been introduced in entrance of the inspecting magistrates of the Paris Judicial Court docket,” Europol officers stated. “The ransomware’s infrastructure was additionally seized within the Netherlands, Germany and Sweden and the related knowledge leak web site on Tor was taken down in Sweden.”

The French Nationwide Gendarmerie led the investigation with regulation enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the U.S., Europol stated.

Ragnar Locker was answerable for “quite a few high-profile assaults in opposition to crucial infrastructure internationally” in line with Europol. Officers famous that an preliminary spherical of arrests concentrating on the group occurred in October 2021 in Ukraine.

Ukrainian officers stated on Friday that the group is answerable for a minimum of 168 ransomware assaults and famous that that they had an in depth organizational construction the place researchers regarded for vulnerabilities and handed them on to extra skilled hackers who deployed the ransomware.

Raids had been additionally performed in Kyiv “within the premises of one of many members of the group,” the Ukrainian officers stated. Police seized laptops, cell phones and extra.

Ukrainian officers added that the particular person arrested in France is now going through a variety of costs tied to a number of hacking offenses, extortion, cash laundering and participation in prison operations.

Double extortion

Europol stated Ragnar Locker is each the identify of the ransomware pressure and the prison group that developed and operated the malware.

The gang focused the Microsoft Home windows working system, usually exploiting uncovered providers like Distant Desktop Protocol. It was well-known for double-extortion —- the place hackers demand ransoms for decrypting knowledge and likewise for not releasing stolen info.

“The menace degree of Ragnar Locker was thought of as excessive, given the group’s inclination to assault crucial infrastructure,” Europol stated, noting that the group threatened to put up the stolen info of any victims who contacted regulation enforcement.

“Little did they know that regulation enforcement was closing in on them. Again in October 2021, investigators from the French Gendarmerie and the US FBI, along with specialists from Europol and INTERPOL had been deployed to Ukraine to conduct investigative measures with the Ukrainian Nationwide Police, resulting in the arrest of two distinguished Ragnar Locker operators.”

Legislation enforcement companies from the collaborating international locations analyzed the group’s malware, performed forensic investigations of the group’s assaults and traced cryptocurrency funds made to the gang. The preliminary prison submitting with Eurojust was initiated in Could 2021 by French authorities.

“This investigation exhibits that after once more worldwide cooperation is the important thing to taking ransomware teams down. Prevention and safety are bettering, nonetheless ransomware operators proceed to innovate and discover new victims,” stated Edvardas Šileris, head of Europol’s European Cybercrime Centre.

“Europol will play its function in supporting EU Member States as they aim these teams, and every case helps us enhance our modes of investigation and our understanding of those teams. I hope this spherical of arrests sends a powerful message to ransomware operators who assume they’ll proceed their assaults with out consequence.”

Recorded Future ransomware knowledgeable Allan Liska stated Ragnar Locker is “one of many oldest constantly working ransomware teams on the market” and famous their assaults on dozens of enormous and small organizations around the globe.

They’ve additionally been tied to the cybercriminal group generally known as FIN8 prior to now, Liska stated, echoing analysis performed by a number of cybersecurity companies displaying ties between the 2.

The arrests tied to the takedown of the Ragnar Locker leak website represented a stark distinction to the final ransomware-focused regulation enforcement operation. In January, a number of companies took down infrastructure tied to the Hive ransomware group however didn’t announce any arrests. Researchers this week found that Hive is reforming and beginning work on one other cybercriminal undertaking.