RagnarLocker ransomware dark web site seized in international sting
An international group of law enforcement agencies have seized the dark web portal used by the notorious RagnarLocker ransomware group, TechCrunch has learned.
A message on the RagnarLocker website now states that, “this service has been seized by a part of a coordinated international law enforcement action against the RagnarLocker group.” According to the seizure notice, the operation involved law enforcement agencies from the United States, the European Union and Japan.
The full scale of the operation is not yet known, and it’s unclear whether the gang’s infrastructure was also seized, if any arrests were made or whether any stolen funds have been recovered.
Europol spokesperson Claire Georges confirmed to TechCrunch that the agency was involved in “ongoing action against this ransomware group.” The spokesperson said that Europol plans to announce the takedown on Friday “when all the actions have been finalised.”
An unnamed spokesperson for the Italian State Police also said that details of the operation will be published Friday. An unnamed FBI spokesperson declined to comment.
TechCrunch has also contacted law enforcement agencies in Spain, Latvia, Germany and the Netherlands, but has not yet received a response.
RagnarLocker is both the name of a ransomware strain and the criminal group that develops and operates it. The gang, which some security experts have linked to Russia, has been observed targeting victims since 2020, and has predominantly attacked organizations in the critical infrastructure sectors.
In an alert published last year, the FBI warned that it had identified at least 52 U.S. entities across 10 critical infrastructure sectors, including manufacturing, energy and government, that had been affected by RagnarLocker ransomware. At the same time, the FBI released indicators of compromise associated with RagnarLocker, including Bitcoin addresses used to collect ransom demands, and email addresses used by the gang’s operators.
Although the gang has been under the watchful eye of law enforcement for some time, the RagnarLocker has been targeting victims as recently as this month, according to ransomware tracker Ransomwatch. In September, the gang claimed responsibility for an attack on Israel’s Mayanei Hayeshua hospital and threatened to leak more than a terabyte of data allegedly stolen during the incident.
Lorenzo Franceschi-Bicchierai contributed reporting. Updated with more from Italian and U.S. authorities.