Ragnar Locker take down

Posted date 16/11/2023

Active since December 2019, Ragnar Locker is the name of a ransomware variant and the criminal group that developed and operated it, responsible for attacks on at least 52 entities in 10 critical infrastructure sectors. This group employed a dual extortion tactic (freezing access to systems and threatening to disclose stolen data) and targeted devices running Microsoft Windows operating systems and typically exploited exposed services, such as remote desktop protocol (RDP), to gain system access.

The investigation into this organization was launched in May 2021, led by the French National Gendarmerie, together with law enforcement authorities from the Czech Republic, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States. 

According to Europol, the action took place between October 16 and 20. This new joint effort involved the seizure of the Ragnar Locker ransomware infrastructure in the Netherlands, Germany and Sweden; the removal of the associated Tor data breach website in Sweden; and the arrest of one of the group's alleged developers in Paris, as well as the search of his home in the Czech Republic.