An international collaboration of law enforcement authorities has seized the dark web site used by the infamous RagnarLocker ransomware group. This operation involves agencies from the United States, the European Union, and Japan. The dark web site of the RagnarLocker group now declares, “this service has been seized by a part of a coordinated international law enforcement action against the RagnarLocker group,” as per the official seizure notice.
Yet, it remains unclear whether the criminal gang's infrastructure has also been apprehended, if any perpetrators have been arrested or if any stolen assets have been recouped. The full magnitude of the operation is currently unknown.
Europol's Involvement in Operation
Europol's spokesperson, Claire Georges, confirmed to TechCrunch that Europol was involved in ongoing action against this ransomware group. The agency plans to disclose the details of the takedown operation on Friday after all actions are concluded. An unnamed spokesperson for the Italian State Police has also confirmed that additional information about the operation will be released on Friday. Efforts to contact law enforcement representatives in the U.S., Spain, Latvia, Germany, and the Netherlands have so far been unanswered.
RagnarLocker: A Year of Cyberattacks
RagnarLocker is both the moniker of a ransomware variety and the criminal group that creates and operates it. The organization, believed by some security analysts to be connected to Russia, has been actively attacking victims since 2020. Typically, their targets are organizations operating in essential infrastructure sectors.
Gaming company Capcom was one of those hit by RagnarLocker attacks. The publisher behind the Resident Evil franchise says it seems no customer information was breached. However, the attack accessed systems such as file servers and email, according to the company.
Last year, the FBI identified 52 U.S. entities across 10 different critical infrastructure sectors, including manufacturing, energy and government, that were impacted by RagnarLocker ransomware. The federal agency also disclosed the indicators of compromise linked to RagnarLocker, such as the Bitcoin addresses used for ransom payments and email addresses employed by the group's operators.
Despite being closely monitored by law enforcement authorities, RagnarLocker continued to target victims up until this month, as reported by ransomware tracker, Ransomwatch. The group recently claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak over a terabyte of purportedly stolen data.