Europol Dismantles Ragnar Locker Ransomware Infrastructure, Nabs Key Developer

Ragnar Locker Ransomware

Europol on Friday announced the takedown of the infrastructure associated with Ragnar Locker ransomware, alongside the arrest of a “key target” in France.

“In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain, and Latvia,” the agency said. “The main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”

Five other accomplices associated with the ransomware gang are said to have been interviewed in Spain and Latvia, with the servers and the data leak portal seized in the Netherlands, Germany, and Sweden.

The effort is the latest coordinated exercise involving authorities from Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. A year later, another member was apprehended in Canada.

Ragnar Locker, which first emerged in December 2019, is known for a string of attacks targeting critical infrastructure entities across the world. According to Eurojust, the group has committed attacks against 168 international companies worldwide since 2020.

“The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen,” Europol said.


Ukraine’s Cyber Police said it conducted raids at one of the suspected members’ premises in Kyiv, confiscating laptops, mobile phones and electronic media.

The law enforcement action coincides with the Ukrainian Cyber Alliance (UCA) infiltrating and shutting down the leak site run by the Trigona ransomware group and wiping out 10 of the servers, but not before exfiltrating the data stored in them. There is evidence to suggest that the Trigona actors used Atlassian Confluence for their activities.

Just as the dismantling of Hive and Ragnar Locker represents ongoing efforts to tackle the ransomware menace, so are the initiatives undertaken by threat actors to evolve and rebrand under new names. Hive, for instance, has resurfaced as Hunters International.

The development comes as India’s Central Bureau of Investigation, based on information shared by Amazon and Microsoft, said it raided 76 locations across 11 states in a nationwide crackdown aimed at dismantling infrastructure used to facilitate cyber-enabled financial crimes such as tech support scams and cryptocurrency fraud.

The exercise, codenamed Operation Chakra-II, led to the seizure of 32 mobile phones, 48 laptops/hard disks, images of two servers, 33 SIM cards, and pen drives, as well as a dump of 15 email accounts.

It also follows the extradition of Sandu Diaconu, a 31-year-old Moldovan national, from the U.K. to the U.S. to face charges related to his role as the administrator of E-Root Marketplace, a website that offered access to more than 350,000 compromised computer credentials worldwide for ransomware attacks, unauthorized wire transfers, and tax fraud.


The website, which went operational in January 2015, was taken down in 2020 and Diaconu was arrested in the U.K. in May 2021 while trying to flee the country.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the U.S. Department of Justice (DoJ) said this week.

“Buyers could search for compromised computer credentials on E-Root, such as RDP and SSH access, by desired criteria such as price, geographic location, internet service provider, and operating system.”

In a related law enforcement action, Marquis Hooper, a former U.S. Navy IT manager, was sentenced to five years and five months in prison for illegally obtaining 9,000 U.S. citizens’ personally identifiable information (PII) and selling it on the dark web for $160,000 in bitcoin.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.