23 October 2023

Ragnar Locker ransomware dev arrested in France


Ragnar Locker ransomware dev arrested in France

The developer of the Ragnar Locker ransomware has been arrested in Paris, France, as part of an international law enforcement effort to dismantle the Ragnar Locker ransomware operation known for targeting critical infrastructure across the world, including hospitals.

Active since 2019, the ransomware operation employed a double extortion tactic, demanding payments for decryption tools as well as for the non-release of the sensitive data stolen. The operators of Ragnar Locker threatened their victims to not hire negotiators, stating it would be considered a hostile act.

Ragnar Locker typically delivers malware via RDP or exploitation of other exposed applications or interfaces.

As part of the law enforcement operation, carried out between 16 and 20 October, the authorities conducted raids in Czechia, Spain and Latvia. Five suspects were detained in Spain and Latvia. Additionally, Ukrainian cyber cops conducted searches at a suspect’s home in Kyiv and seized laptops, mobile phones and “electronic storage devices.”

An alleged developer of the Ragnar group has been brought in front of the examining magistrates of the Paris Judicial Court, Europol said.

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.

Last week, a group of pro-Ukraine hacktivists known as Ukrainian Cyber Alliance commandeered a data leak site of the Trigona ransomware, exfiltrated data and wiped the servers. The group said they used a privilege escalation vulnerability (CVE-2023-22515) in Atlassian Confluence software said to have been exploited by at least one threat actor (Storm-0062) since September 2023.

The activists said they exfiltrated the information from Trigona’s administration and victim panels, their blog and data leak site, as well as the developer environment, cryptocurrency hot wallets, the source code and database records.


Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024