Officials Confirm Second Major Ransomware Bust of 2023
RagnarLocker ransomware gang’s leak site takedown is the second ransomware-related bust after the Hive ransomware gang in January 2023.
- FBI, European and Japanese law enforcement operation takes down the RagnarLocker ransomware leak site.
- RagnarLocker rose as one of the most feared ransomware gangs in 2022, though the syndicate has been relatively dormant this year.
A joint operation between the U.S., European and other law enforcement agencies took down the online infrastructure of one of the most prolific ransomware gangs, RagnarLocker. First reported by BleepingComputer, the operation led to the seizure of its dark web data leak sites accessible via the Tor network, which the ransomware syndicate also used for negotiations with its victims.
RagnarLocker ransomware gang’s leak site takedown is the second ransomware-related bust after the Hive ransomware gang in January 2023.
It remains unclear whether law enforcement made arrests or seized any other infrastructure. The FBI, the European Union Agency for Law Enforcement Cooperation, or agencies from Japan, France or others also did not comment on whether any ransomware proceeds were recovered from the latest bust.
“While on the surface, this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these,” Erich Kron, Security Awareness Advocate at KnowBe4, told Spiceworks.
“In addition, this could cause problems for people whose organizations have been impacted by a ransomware attack but have now lost a method to negotiate with the bad actors.”
Kron adds that seizing leak sites can add little value for the ransomware gang’s victims unless the underlying infra contains recovery data. He said, “Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover. In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group.”
See More: How to Enhance Ransomware Resilience: A Complete Playbook
A Europol spokesperson told TechCrunch that more details will be shared on October 20 once “all actions have been finalized.”
The three-and-a-half-year-old ransomware gang started targeting critical infrastructure in 2021. It had targeted dozens of organizations by January 2022, earning a special FBI advisory from the Internet Crime Compliant Center (IC3) in March of that year. RagnarLocker notably upped the ante in H2 2022 in the aftermath of the commencement of the conflict in Ukraine.
RagnarLocker is widely believed to be affiliated with Russia, given the FBI IC3’s advisory said the outfit doesn’t target critical infrastructure in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldavia, Tajikistan, Russia, Turkmenistan, Uzbekistan, and Georgia. However, the group also refrains from targeting Ukrainian assets.
RagnarLocker affiliates infiltrate, move laterally, deploy malware, and carry out encryption using various tools. The ransomware gang relies on double extortion tactics and is known to update obfuscation techniques frequently to avoid detection.
Although rising as one of the most feared ransomware gangs in 2022, the RagnarLocker gang has been relatively dormant this year.
How can organizations fend off ransomware attacks? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERCRIMINAL BUSTS
