Is the Ragnar Locker Ransomware Group Headed for Oblivion? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

International Law Enforcement Operation Seizes Infrastructure, Disrupts Operation

October 19, 2023    

Image: Ragnar Locker’s currently inaccessible “Wall of Shame” data leak site

The data leak and negotiation sites for the Ragnar Locker ransomware group went offline Thursday after an international law enforcement operation seized its infrastructure.

See Also: Navigating the Regulatory Landscape: Rising GRC Trends and Data Breach Risks

Law enforcement agencies participating in the crackdown include the FBI, as well as authorities in France, Germany, Italy, Spain and the Netherlands, backed by Europol’s European Cybercrime Center as well as the EU Agency for Criminal Justice Cooperation.

Europol confirmed the takedown to Bleeping Computer – which first reported on Ragnar Locker being disrupted – and said it planned to formally announce the disruption on Friday, after unspecified additional efforts have concluded.

Ragnar Locker’s Tor-based data-leak site resolves to this takedown notice, as displayed on Oct. 19, 2023. (Image: Information Security Media Group)

It’s been a busy week for disrupting ransomware operations. On Wednesday, pro-Ukrainian hackers claimed responsibility for wiping the servers of the recently formed Trigona ransomware gang.

Ragnar Locker appears to have remained active until its takedown. The group behind the ransomware is known for crypto-locking Windows and Linux systems as well as practicing double extortion, meaning it steals data and threatens to leak it in order to pressure victims into paying. The group regularly demands ransoms of $10 million or more, although how many victims pay a ransom – or the final amount they negotiate attackers down to – remains unclear.

Security experts say the group executes its own attacks or works closely with a handful of trusted partners, rather than running a ransomware-as-a-service operation and leasing its malware to affiliates in exchange for a cut of every ransom paid.

Long-Running Operation

First appearing in December 2019 as a possible Maze or MountLocker spinoff or partner, Russian-speaking Ragnar Locker had become one of the longest-running ransomware operations, albeit one often classified as operating in the mid-level tier, as compared to high fliers such as REvil/Sodinokibi, DarkSide, Conti, DopplePaymer, Ryuk, Royal, Alphv/BlackCat and LockBit. Then again, many of those operations are no longer in existence, or at least their members are working with other operations, or rebranded groups.

In its earlier days, Ragnar Locker made a name for itself by amassing high-profile victims such as energy firm Energias de Portugal, Japanese gaming firm Capcom, aircraft maker Dassault Falcon and Italian liquor-making giant Campari. With the latter, the group displayed its penchant for provocation, by hacking into an unaffiliated third-party organization’s social media account to lambast Campari for opting to not pay the ransom it demanded.

The attackers continued to refine their shakedown strategies, including a memorable turn in 2021 when they threatened to immediately leak stolen data for any victim who even thought about attempting to work with law enforcement or hire ransomware response or negotiation experts.

“If you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately,” the group told victims in its ransom note. Experts said the attempt to steer victims away from getting help highlighted just how useful police and expert assistance continues to be for victims (see: Ragnar Locker: ‘Talk to Cops or Feds and We Leak Your Data’).

Ragnar Locker was also one of a number of groups that collaborated with the notorious Conti group.

Critical Infrastructure Hits

In March 2022, the FBI warned that the group appeared to be actively targeting critical infrastructure sectors, having amassed at least 52 U.S. victim organizations across 10 critical infrastructure sectors.

Other victims of the group that came to light last year included a Greek gas operator, a primary healthcare system in Italy, Portugal’s national airline and the Belgium city of Antwerp. The group’s targeting of critical infrastructure sectors has continued. Last month, Ragnar Locker leaked data stolen from an Israeli hospital.

More recently, cybersecurity researcher MalwareHunterTeam told Bleeping Computer that last month’s attack against Johnson Controls involved the Linux encryptor used by Ragnar Locker since 2021, although a new ransomware operation calling itself DarkAngels took responsibility for the attack. Whether DarkAngels is a potential partner, offshoot or rebrand of Ragnar Locker isn’t clear.

Long-Term Impact: Unclear

Whether this week’s disruption of Ragnar Locker spells the end of the group remains unclear. Law enforcement has previously disrupted multiple ransomware groups, only to see them resurface one or more times after members of the group rebuilt their infrastructure. Examples include REvil, aka Sodinokibi (see: Who’s Behind Attempt to Reboot REvil Ransomware Operation?).

In some cases, police appear to have infiltrated operations before their takedown, or at least to have to have seized or copied critical infrastructure. Whoever attempted to restart REvils’ dark web data leak site and payment portal in October 2021, they tried to restore a previously used .onion site, reusing a private key, only for someone – likely law enforcement – to kibosh those efforts, seemingly because they also possessed the private key (see: REvil’s Cybercrime Reputation in Tatters – Will It Reboot?).

One repeat challenge for Western law enforcement is that many ransomware operators and their affiliates are based in Russia, which never extradites its citizens to face charges abroad. Hence while their infrastructure might get disrupted, so long as these ransomware practitioners remain at large, they can restart their operations.


Click Here For The Original Source.

National Cyber Security