Law enforcement agencies from more than a dozen countries seized a website used by the criminal hacking group known as Ragnar Locker to leak stolen data and information, according to a message posted to the site’s front page.
The seizure is the latest in a string by global law enforcement agencies to take down the public facing websites and infrastructure of ransomware groups.
The extent to which Thursday’s operation — which was carried out by a coalition of 16 law enforcement agencies including the FBI, German police and Japanese authorities — disrupted the ransomware operation is unclear. As of Thursday afternoon, authorities had not released any details about the scope of the operation, including whether there were any arrests.
“This service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group,” a message on the Ragnar Locker website reads.
A Europol spokesperson told multiple media outlets Thursday that an operation had taken place and that more information would be available Friday. The FBI declined to comment on Thursday.
Ragnar Locker dates to 2019, making it one of the most enduring ransomware operations, according to the tech news site Bleeping Computer. The group was somewhat unique in the ransomware landscape, the site noted, given that it was more closed to outsiders than many other criminal hacking groups. While the group would work with outside hackers to breach systems, it was far less willing to take on affiliates or sell its services to outsiders.
The group was also unusual in the criminal hacking landscape in that it would often eschew encrypting data and demanding a ransom to decrypt it, preferring to instead steal data outright and demand payment in exchange for not leaking it online.
Adam Meyers, Crowdstrike’s head of counter adversary operations, said that Ragnar Locker, which his firm tracks as “Viking Spider,” represented one of the first “Big Game Hunting” groups that attacked large targets with the aim of securing significant payouts, rather than targeting smaller entities, and then leveraged the threat of publicizing stolen data to pressure its victims into paying up.
According to Meyers, the group posted data belonging to 100 victims to its leak site across 27 sectors during its run. As of January 2022, the FBI had identified at least 52 entities across 10 critical infrastructure sectors affected by the group, the agency said in a March 2022 alert.
Thursday’s action is the latest in a string of law enforcement operations aimed at disrupting cybercrime and nation-state cyber operations and infrastructure. Last month, authorities in the U.S. and the U.K. announced sanctions against 11 members of the notorious Trickbot cybercrime syndicate and unveiled indictments in the U.S. against some of the members.
Previous operations targeted infrastructure used by the Hive ransomware group, the Russian military-controlled CyclopsBlink botnet and a Chinese-linked effort to exploit vulnerable Microsoft Exchange servers.
During remarks in April, U.S. Deputy Attorney General Lisa Monaco said that U.S. prosecutors and investigators are directed to have “a bias toward action to disrupt and prevent” cyber crime.