European Police Dismantle Ragnar Locker Infrastructure

European police in Paris this week arrested a man accused of being a key developer of Ragnar Locker ransomware in a police operation that seized the group’s digital infrastructure in multiple countries.

See Also: Defending Against the Rising Tide of Fraud: Resilience Strategies for Businesses

A joint action led by French authorities resulted in one arrest and the questioning of five suspects located in Spain and Latvia in coordinated action that began Monday, Europol announced Friday. Police also searched the alleged developer’s residence in the Czech Republic.

Police identified Ragnar Locker infrastructure in the Netherlands, Germany and Sweden, which hosted the group’s dark web leak site.

Ragnar Locker is a crypto-locking malware functional on the Windows and Linux operating systems. The operators mainly used the double-extortion tactic of stealing data and threatening to leak it to extort ransom from the victims. News of the police operation emerged on Thursday after the ransomware group’s dark web site displayed a seizure notice (see: Is the Ragnar Locker Ransomware Group Headed for Oblivion?).

The Friday arrest comes after a joint action carried out by the French, Canadian and U.S. authorities to arrest a Ragnar suspect in Canada in October 2022. Ukrainian police in September 2022 detained two alleged Ragnar operators in cooperation with French and American police agencies.

The Russian-speaking group first appeared in 2019 and mainly targeted large industrial groups in Europe and North America from April 2020 onward. The group was notorious for its large ransom amount, which ranged from $5 million to $70 million. Its victims include energy firm Energias de Portugal, Japanese gaming firm Capcom, aircraft maker Dassault Falcon and Italian liquor-making giant Campari.

In March 2022, the FBI warned that Ragnar Locker appeared to be actively targeting critical infrastructure sectors and had amassed at least 52 U.S. victim organizations across 10 critical infrastructure sectors.

The bust is the latest in a series of actions taken by international law enforcement agencies against ransomware and other cybercrime groups. In September, the U.S. and British authorities sanctioned 11 Russian TrickBot operations. Prior to that, U.S. agencies shuttered QakBot botnet infrastructure. Earlier this year, the FBI seized Hive ransomware servers in a multi-nation takedown.