Ragnar Locker ransomware gang taken down by international police swoop


This week, law enforcement and judicial authorities from eleven countries delivered a major blow to one of the most dangerous ransomware operations of recent years. 

This action, coordinated at international level by Europol and Eurojust, targeted the Ragnar Locker ransomware group. The group were responsible for numerous high-profile attacks against critical infrastructure across the world.

In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.   

This international sweep follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America. 

In the framework on this investigation, a first round of arrests were carried out in Ukraine in October 2021 with Europol’s support.

What kind of malware is Ragnar Locker?

Active since December 2019, Ragnar Locker is the name of a ransomware strain and of the criminal group which developed and operated it.

This malicious actor made a name for itself by attacking critical infrastructure across the world, having most recently claimed the attacks against the Portuguese national carrier and a hospital in Israel. 

This strain of ransomware targeted devices running Microsoft Windows operating systems and would typically exploit exposed services like Remote Desktop Protocol to gain access to the system. 

The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen. 

The threat level of Ragnar Locker was considered as high, given the group’s inclination to attack critical infrastructure. 

Don’t call the cops 

Ragnar Locker explicitly warned their victims against contacting law enforcement, threatening to publish all the stolen data of victimised organisations seeking help on its dark web ‘Wall of Shame’ leak site. 

“All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help”, the Ragnar Locker ransomware gang announced on its hidden website. 

Little did they know that law enforcement was closing in on them. 

Back in October 2021, investigators from the French Gendarmerie and the US FBI, together with specialists from Europol and INTERPOL were deployed to Ukraine to conduct investigative measures with the Ukrainian National Police, leading to the arrest of two prominent Ragnar Locker operators. 

The investigation continued ever since, leading to the arrests and disruption actions this week. Europol’s European Cybercrime Centre Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy.

Its cybercrime specialists organised 15 coordination meetings and two week-long sprints to prepare for the latest actions, alongside providing analytical, malware, forensic and crypto-tracing support. A virtual command post was set up this week by Europol to ensure seamless coordination between all the authorities involved.

Eurojust support:

The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries that supported the investigation. Eurojust set up a coordination centre during the action week to enable rapid cooperation between the judicial authorities involved.  

The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:

This investigation shows that once again international cooperation is the key to taking ransomware groups down. Prevention and security are improving, however ransomware operators continue to innovate and find new victims. Europol will play its role in supporting EU Member States as they target these groups, and each case is helping us improve our modes of investigation and our understanding of these groups. I hope this round of arrests sends a strong message to ransomware operators who think they can continue their attacks without consequence.

Close cooperation between the involved law enforcement authorities was also supported by Europol’s Joint Cybercrime Action Taskforce (J-CAT), composed of cybercrime liaison officers posted to Europol’s headquarters.

The following authorities took part in the investigation: 

• Czechia: National Counter-Terrorism, Extremism and Cybercrime Agency of Police of the Czech Republic

• France: National Cybercrime Centre of the French Gendarmerie (Gendarmerie Nationale – C3N)

• Germany: State Criminal Police Office Sachsen (Landeskriminalamt Sachsen), Federal Criminal Police Office (Bundeskriminalamt)

• Italy: State Police (Polizia di Stato), Postal and Communication Police (Polizia Postale e delle Comunicazioni)

• Japan: National Police Agency (NPA)

• Latvia: State Police (Latvijas Valsts Policija)

• Netherlands: Police of East Netherlands (Politie Oost-Nederland)

• Spain: Civil Guard (Guardia Civil)

• Sweden: Swedish Cybercrime Centre (SC3)

• Ukraine: Cyberpolice Department of the the National Police of Ukraine (Національна поліція України)

• United States: Atlanta Field Office of the Federal Bureau of Investigation

The investigation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).