An international operation coordinated by France, with the support of Eurojust and Europol, has dealt an important blow to the Ragnar Locker ransomware group. In an action carried out between 16 and 20 October, searches were conducted in three different countries and in total six suspects were heard in the Czech Republic, Spain, Latvia and France. Furthermore, nine servers were taken down; five in the Netherlands, two in Germany and two in Sweden. The organised crime group is suspected of having committed attacks against 168 international companies worldwide since 2020.
At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.
The criminals would use malware and steal sensitive data from companies before encrypting their files. They would then offer a decryption key in return for a ransom payment ranging from 5 to 70 million dollars, threatening to leak the stolen data on the dark web if their demands were not met.
This major international operation follows two previous actions conducted against the same ransomware group. In September 2021, a coordinated strike between the French, Ukrainian and the United States US authorities led to the arrest of two suspects in Ukraine. In October 2022, another suspect was arrested in Canada in a joint action carried out by the French, Canadian and US authorities.
The current operation focused on identifying and shutting down some of the servers used by the hacker group, particularly those used for the exfiltration and publication of data. During the action days, simultaneous searches and hearings of suspects took place in France, Spain, Latvia and the Czech Republic. Also, the seizure of various crypto currencies took place.
The case was opened by Eurojust in May 2021 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation between the authorities of the countries supporting the investigation. Eurojust set up a coordination centre during the action week to enable rapid cooperation between the judicial authorities involved.
Europol’s European Cybercrime Centre supported the investigation from the outset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised 15 coordination meetings and two week-long sprints to prepare for the latest actions, as well as providing analytical, malware, forensic and crypto-tracing support. A virtual command post was set up this week by Europol to ensure seamless coordination between all the authorities involved.
The following authorities took part in this investigation:
- Czech Republic: Metropolitan Public Prosecutor´s Office Prague; National Counterterrorism and Cybercrime Agency, Prague
- France: JUNALCO (French National Public Prosecutor’s Office against organised crime), Cybercrime Unit ; French Gendarmerie
- Germany: Public Prosecutor’s Office Leipzig (Staatsanwaltschaft Leipzig); Saxon State Office of Criminal Investigation (Landeskriminalamt Sachsen); Federal Criminal Police Office (Bundeskriminalamt)
- Italy: Milan Public Prosecutor’s Office and Milan Polizia di Stato – Polizia Postale e delle Comunicazioni
- Japan: National Police Agency (NPA)
- Latvia: State Police of Latvia, International Cooperation Department and Cybercrime Enforcement Department
- The Netherlands: East Netherlands Public Prosecutor’s Office; Cybercrime Team Police region East Netherlands
- Sweden: Swedish Public Prosecutor’s Office; National Unit against Organised Crime; Swedish Police
- Spain: Investigative Court number 1 Torrevieja (Alicante); International Cooperation Section Public Prosecutor’s Office Alicante; Guardia Civil, Attached Unit Alicante supported by Team EDITE
- Ukraine: Kyiv City Prosecutor’s Office; Cyber Police Department of the National Police of Ukraine; Main Department of the National Police in Kyiv City