Europol and Eurojust have successfully coordinated an international law enforcement action to dismantle the Ragnar Locker ransomware group. The group, active since December 2019, targeted companies in the industrial sector that were considered critical and likely to pay ransoms. Ragnar Locker differentiated itself from other ransomware groups by operating independently and selectively collaborating with third parties. The group was known for warning victims against seeking law enforcement assistance and threatening to leak stolen data.
The takedown operation involved authorities from 11 countries, including the Czech Republic, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States. The investigation, which began in May 2021, resulted in the arrest of several individuals in Ukraine and a suspected Ragnar Locker developer in Paris. Law enforcement also seized the group’s ransomware infrastructure in Germany, the Netherlands, and Sweden, and shut down their dark leak site in Sweden.
While this takedown is a significant victory in the fight against ransomware, it does not guarantee the permanent elimination of the threat. Past experiences have shown that some ransomware groups may rebrand and resurface under new names. Ongoing investigations and continued vigilance from both law enforcement and enterprises are necessary to combat this evolving threat.
The successful international cooperation in dismantling the Ragnar Locker ransomware group follows similar actions against other cybercriminal organizations, including the takedown of Qakbot, the disruption of the Hive ransomware group, the arrest of members of the REvil ransomware group, and the dismantling of the Emotet malware and botnet infrastructure. These multinational efforts demonstrate the effectiveness of cooperative law enforcement operations in combating previously untouchable cybercriminal groups.