Law enforcement agencies have taken over RagnarLocker ransomware group's leak site in an internationally coordinated takedown. Among the agencies involved are Europol's European Cybercrime Centre, the US's Federal Bureau of Investigation, and Germany's Bundeskriminalamt, among many others. The takedown follows a concerted effort from law enforcement in recent years to shutter ransomware groups as their success continues to exceed previous records. In January this year, the FBI led the way in taking down the Hive group, handing out decryption keys to more than 300 victims. The Bureau calculated the potential savings in ransom fees to be around $130 million. At the time, FBI director Christopher Wray said only about 40 percent of Hive's victims contacted the FBI about the incident. A known tactic of RagnarLocker is to dissuade victims from contacting domestic law enforcement, a fact that makes the latest bust extra special, according to Jake Moore, global cybersecurity advisor at ESET. "Any takedown by Europol is both significant and impressive but this seems to have extra kudos due to its Russian origin and it reflects the power of trying to suppress law enforcement help," he told The Register. "In the past, RagnarLocker has warned their victims not to contact the police or FBI concerning their ransoms demands or face the threat of having their data published. Therefore, this takedown will come as an extra blow to the ransomware group who clearly have a bone of contention with the authorities." Asked about the takedown, Europol declined to comment any further, other than that it's "Part of an ongoing action against this ransomware group." More details are expected to be released via official channels tomorrow. Emerging in late 2019 or early 2020, depending on which security company's reports you read, the location of RagnarLocker has never been conclusively proven. Many different European and Asian countries have been linked to the gang that uses its own eponymous ransomware payload, though Russia and Ukraine are among those most often floated. The FBI was prompted to release an advisory in March 2022 alerting organizations to its typical mission objectives - targeting critical infrastructure. It said at the time that 52 critical infrastructure organizations had been successfully targeted by the group. RagnarLocker are also well-known for adopting a double extortion model and was notoriously staunch on its approach to negotiations. Cops drill into chat apps, sink plot to smuggle tonnes of coke into Europe US government to investigate China's Microsoft email breach Cops' total pwnage of 'secure' EncroChat nets 6,500+ arrests, €740m in funds - so far 'Top three Balkans drug kingpins' arrested after cops crack their Sky ECC chats EU proposes spyware Tech Lab to keep Big Brother governments in check. Most modern ransomware groups are open to negotiating fees, as long as the negotiations don't hurt their feelings. RagnarLocker was known for its take-it-or-leave-it stance on issuing ransom demands. The gang was previously considered one of the most dangerous in operation, though it hasn't been as active in 2023. It was omitted from Microsoft's latest Digital Defense Report, which ranked the top ransomware groups in operation currently. The only major attack claimed by RagnarLocker in the past year was on an Isareli hospital - an incident that saw it leak 400GB of data of an alleged total 1TB stolen, part of its telltale double extortion tactic.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000