top of page

Europol dissolves Ragnar Locker Infrastructure, Nabs Key Developer

On Friday, Europol declared the destruction of the Ragnar Locker ransomware's infrastructure and the apprehension of a "key target" in France.

"In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain, and Latvia," according to the agency. "The main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court."

The servers and the data leak portal were confiscated in the Netherlands, Germany, and Sweden, while five more members of the ransomware ring are rumoured to have been questioned in Spain and Latvia.

Authorities from the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States are participating in this coordinated exercise, which is the most recent one. In 2021, two suspects connected to the ransomware group were first taken into custody in Ukraine. Another member was captured in Canada a year later.

Since its initial appearance in December 2019, Ragnar Locker has been linked to many attacks on global critical infrastructure targets. Since 2020, the group has attacked 168 foreign enterprises worldwide, according to Eurojust.

"The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen," Europol stated.

According to the Ukraine's Cyber Police, laptops, cell phones, and electronic media were seized during raids at one of the accused members' Kyiv residences.

At the same time as the law enforcement activity, the Trigona ransomware group's leak site was penetrated and shut down by the Ukrainian Cyber Alliance (UCA), who also deleted data from ten of the servers. It appears from the evidence that the Trigona actors were using Atlassian Confluence for their work.

The continued attempts to combat the ransomware threat are exemplified by the deconstruction of Hive and Ragnar Locker, as well as the efforts made by threat actors to change their identities and adapt. For example, Hive has reappeared as Hunters International.

This development coincides with the announcement that the Central Bureau of Investigation in India has conducted 76 raids in 11 states as part of a national campaign to dismantle the infrastructure that supports financial crimes enabled by the internet, including cryptocurrency fraud and tech support scams. The agency's claims are based on information shared by Amazon and Microsoft.

Operation Chakra-II, as it was code-named, resulted in the seizure of 48 laptops/hard drives, 32 cell phones, pen drives, pictures of two servers, 33 SIM cards, and a dump of fifteen email accounts.

It also comes after the 31-year-old Moldovan national Sandu Diaconu was extradited to the United States from the United Kingdom to face charges pertaining to his administration of the E-Root Marketplace website, which provided access to over 350,000 compromised computer credentials for ransomware attacks, illicit wire transfers, and tax fraud worldwide.

Online safety

After going live in January 2015, the website was shut down in 2020, and Diaconu was detained in the United Kingdom in May 2021 while attempting to leave the nation.

The U.S. Department of Justice (DoJ) stated last week that "the E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers."

"Buyers could search for compromised computer credentials on E-Root, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system."

In a separate law enforcement case, former U.S. Navy IT manager Marquis Hooper was found guilty of collecting 9,000 U.S. individuals' personally identifiable information (PII) illegally and selling it for $160,000 in bitcoin on the dark web, receiving a sentence of five years and five months in prison.

4 views0 comments


bottom of page