On October 16, law enforcement agents arrested a 35-year-old man in Paris. Details of the individual are disclosed. The suspect is allegedly the main perpetrator behind the RagnarLocker ransomware group.
The combined efforts of law enforcement agents resulted in the seizure of the RagnarLocker dark web portal. The portal is used by the ransomware group to extort victims by publishing stolen data.
RagnarLocker, the name of the group and its ransomware malware, is allegedly linked to Russia. The group is notorious for targeting critical infrastructure sectors from non-commonwealth countries.
In an announcement on Friday, Ukraine’s police stated that the RagnarLocker group had attacked and extracted confidential data from 168 international companies across Europe and the United States.
The ransomware group demanded funds ranging from $5 to $70 million in cryptocurrency from the targeted victims. Victims who refused to pay the ransom demands or contacted law enforcement would have their information published on the RagnarLocker dark web “WALL OF SHAME.”
In 2022, The Federal Bureau of Investigation identified at least 52 U.S. entities throughout 10 infrastructure sectors, including energy, government, and manufacturing, that had fallen victim to RagnarLocker ransomware.
The FBI’s flash report revealed several components associated with RagnarLocker’s criminal activities, including Bitcoin addresses used to collect ransom money and email addresses used by the group.
In recent months, the ransomware group claimed responsibility for an attack on Israel’s Mayanei Hayeshua hospital. The group threatened to publish more than a terabyte of data allegedly stolen during the incident.
The seizure of the group’s dark web portal and allegedly head honcho is a massive win for law enforcement agencies. Ongoing investigations into the group’s alleged origins are a priority for law enforcement agencies.
“The ‘key target’ of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days, At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”
Capturing A Darknet Kingpin
In May 2021, French authorities contacted Eurojust in an effort to arrest the RagnarLocker ransomware group. Eurojust opened a case and conducted five meetings to facilitate a judicial collaboration among authorities involved in the investigation.
On September 28, 2021, an international investigation consisting of the French National Gendarmerie, Ukrainian National Police, Federal Bureau of Investigation (FBI), and Europol led to the arrest of two prolific ransomware criminals.
The two prolific perpetrators, known for their ransomware demands between €5 – €70 million, formed part of the notorious RagnarLocker group. At the time, police seized over $1.3 million in cryptocurrency, $375k in US dollars, and other assets.
The two arrests made formed part of a larger operation targeting ransomware groups operating on the dark web. The investigation continued to operate in the dark, which subsequently led to further arrests made.
In October 2022, Canadian police arrested another suspect linked to the RagnarLocker ransomware group. The suspect was apprehended in a joint operation conducted by Canadian, French, and US law enforcement agencies.
Europol’s European Cybercrime Centre heavily supported the ongoing investigation. The organization brought together all 11 countries involved to establish a joint operation and strategy.
Europol confirmed the following: 11 authorities took part in the investigation:
- Czechia: National Counter-Terrorism, Extremism, and Cybercrime Agency of Police of the Czech Republic
- France: National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale, C3N)
- Germany: State Criminal Police Office Sachsen (Landeskriminalamt Sachsen), Federal Criminal Police Office (Bundeskriminalamt)
- Ukraine: Cyberpolice Department of the National Police of Ukraine (Національна поліція України)
- Netherlands: Police of East Netherlands (Politie Oost-Nederland)
- Spain: Civil Guard (Guardia Civil)
- Sweden: Swedish Cybercrime Centre (SC3)
- United States: Atlanta Field Office of the Federal Bureau of Investigation
- Italy: State Police (Polizia di Stato), Postal and Communication Police (Polizia Postale e delle Comunicazioni)
- Japan: National Police Agency (NPA)
- Latvia: State Police (Latvijas Valsts Policija)
It Ends In Paris
Europol’s cybercrime specialists co-ordinated 15 meetings with international agencies. The organization provided law enforcement agents with analytical, forensic, malware, and crypto-tracing support.
The organization also set up a virtual command post at Europol, to ensure a smooth operation between all the authorities involved.
In an operation carried out between 16 and 20 October, law enforcement agents conducted searches in Spain, Latvia, and Czechia. Agents targeted a “key feature” of the ransomware group.
On October 16, Law enforcement agents raided and searched the premises of an alleged key member of the RagnarLocker group. Following the search and seizure, police arrested the suspect.
The arrested individual is believed to be the main developer of the RagnarLocker ransomware group. Authorities interviewed 5 other alleged associates of the suspected ransomware developer in Spain and Latvia.
An international investigation into RagnarLocker’s infrastructure stretched to several other countries. In Netherland, Germany, and Sweden, authorities located nine of RagnarLocker’s servers; five in the Netherlands, two in Germany and two in Sweden.
Eurojust also reports that it seized various amounts of cryptocurrencies, although the total value is undisclosed. Furthermore, Ukrainian authorities indicated that its officers conducted a successful search of another RagnarLocker suspect in Kiev.
Ukrainian officials seized laptops, mobile devices, and other electronic equipment used by the group. Italian police (Polizia di Stato) also confirmed their involvement in the international effort, through a press release.
Italian authorities published a video, revealing footage from a search and seizure operation conducted by French, Czech, and Italian police agents. It’s unclear where the footage was taken, presumably in the residence of a 35-year-old man whom officials arrested.
The End Of A Three-Year Ransomware Nightmare
RagnarLocker, active since 2020, is the name of a ransomware strain and group which created the software. This ransomware group became famous for attacking the critical infrastructure of entities throughout the world.
RagnarLocker malware targeted devices running Microsoft Windows operating systems and exploited services such as Remote Desktop Protocol to gain access. Once granted, the malware locks the users files and prevents access.
This ransomware allowed the group to use a double extortion tactic. The group would demand ransomware payments for decryption tools to unlock the blocked files, as well as for the non-publication of stolen data.
RagnarLocker warned its victims against alerting the authorities, consequently, data would be leaked on the group’s darknet “WALL OF SHAME”, for non-compliance. The group poses a high threat of danger, given their inclination to exploit critical infrastructure.