RagnarLocker taken down by international law enforcement action.
By Tim Nodar, CyberWire senior staff writer
Oct 20, 2023

RagnarLocker was an active, ruthless, and indiscriminate cyber gang. They've been hit hard, but they're probably not down for the count.

RagnarLocker taken down by international law enforcement action.

The RagnarLocker ransomware operation’s negotiation and data leak sites were seized yesterday by an international group of law enforcement agencies, BleepingComputer reports.

International partners were from Europe, Asia, and North America.

A spokesperson for Europol told TechCrunch that the agencies will officially announce the takedown later today. Based on the takedown notice posted to the seized websites, the operation involved law enforcement entities from the US, Germany, France, Italy, Japan, Spain, the Netherlands, the Czech Republic, and Latvia.

BleepingComputer notes that RagnarLocker wasn’t part of a ransomware-as-a-service operation, but was a private gang that would recruit outside help to breach networks.

A setback surely, but probably not an elimination.

Industry experts suggest that, while any thinking person should applaud the takedown, that thinking person should also temper their expectations. “While on the surface, this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these,” Erich Kron, Security Awareness Advocate at KnowBe4, commented. “In addition, this could cause problems for people whose organizations have been impacted by a ransomware attack, but have now lost a method to negotiate with the bad actors. Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover. In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group.”

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said, in early emailed comments, “It’s expected that on Friday, 20 October 2023 law enforcement agencies from the European Union, the U.S. and Japan will formally announce the seizure of RagnarLocker’s dedicated leak site (DLS). CrowdStrike tracks RagnarLocker as VIKING SPIDER who has been operating since at least December 2019. VIKING SPIDER is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a DLS to pressure victims. In its period of activity, VIKING SPIDER posted over a hundred victims from 27 sectors to their DLS.”

But betting on form, expect the effects of the takedown to be severe, but perhaps not permanent. “CrowdStrike Intelligence assesses that this operation will likely severely impact VIKING SPIDER operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”