The RagnarLocker ransomware collective that was an early and enthusiastic pioneer of the notorious double extortion technique has become the latest “victim” of a growing wave of international law enforcement takedowns, disappearing from the dark web on Thursday 19 October in an operation coordinated by the FBI and the European Union’s (EU’s) Europol agency.
The operation saw RagnarLocker’s negotiation and data leak sites on Tor seized and replaced with a message stating the group has been taken offline.
Full details of the operation have yet to emerge, and Computer Weekly understands Europol means to make an official announcement later on Friday 20 October. An agency spokesperson confirmed its involvement but declined to comment further at the time of writing.
RagnarLocker first came to attention over the course of a few months at the end of 2019 and start of 2020, immediately prior to the onset of the Covid-19 pandemic. At the time, the ransomware landscape was dominated by the likes of REvil/Sodinokibi among others, and the now standard double extortion model was just beginning to emerge as a factor in ransomware attacks.
RagnarLocker was an enthusiastic pioneer of this technique, and early in its history made what were at the time very large ransom demands of its victims – among others, extorting beverage company Campari for $15m, and Resident Evil developer Capcom for $11m, although these sums have since been eclipsed by other cartels.
Adam Meyers, head of counter adversary operations at Crowdstrike – which tracks RagnarLocker as Viking Spider, said: “Viking Spider is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a DLS [dark web leak site] to pressure victims. In its period of activity, Viking Spider posted over a hundred victims from 27 sectors to their DLS. CrowdStrike Intelligence assesses that this operation will likely severely impact Viking Spider operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”
RagnarLocker was also known for its grasp of technological innovation, introducing new ransomware delivery techniques such as distributing its locker payloads inside the virtual hard drive of a malicious virtual machine. This tactic was seized on by others, notably the Maze operation, with which RagnarLocker at one point came together in a ransomware supergroup with, among others, LockBit.
Low volume, yet consistent
Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense, said the takedown was a significant one given RagnarLocker’s long history. The gang has tended to take a slow-and-steady approach to its activity, with comparatively low volumes of activity compared with others, but consistent, making it one of the longest-lived operators in the cyber criminal underground, an unusual feat for such a fast-moving ecosystem.
In other regards, said Selck-Paulsson, RagnarLocker exhibited similar behaviour to its peers in terms of its approach to victims and the tactics it used on them.
“They are known to be very opinionated on their leaksites, often justifying their actions in the name of ‘data privacy and security’,” she said. “In the past, they have warned their victims against collaborating with law enforcement agencies or recovery companies, threatening to leak stolen data immediately, but also pointing fingers on how greedy recovery companies and negotiators are, portraying their activity in a better light.
“This is a very common scheme that we observe with threat actors in the cyber extortion space, applying neutralisation techniques, thus justifying their actions to make it seemingly more acceptable to engage in crime.
“Their ‘About us’ page confirms this, reading as follows: ‘We are Team of Ragnar_Locker and we are cybersecurity enthusiast, cryptopunks, entrepreneurs and businessmen. Our main goal is to create cool project, that can show its power in all its glory and of course make profit’.
“’Ragnar Team don’t pursuit aim to make huge damage to anyone’s business or someone personally, but if it would be necessary, no doubt we will do what we promise and the consequences will be disastrous, so no jokes here’.”
Not the end of the story
Jake Moore, global cyber security advisor at ESET, added: “Any takedown by Europol should be regarded as both significant and impressive, but this particular takedown stands out because of its Russian links and the challenges facing the police.
“Previously, RagnarLocker cautioned victims against reaching out to the police or the FBI about their ransom demands, threatening data exposure if they did. Their financial motivations are usually very clear, and with no room to negotiate.”
However, he added, the takedown would likely not be the end of the story. “RagnarLocker is not the typical ransomware-as-a-service [RaaS] operator,” said Moore. “The gang is focusing mostly on data theft, not data encryption, so they will probably set up a new channel to extort their victims.
“And without arrests, there’s little doubt that the criminals behind it have all the opportunity to continue in their malicious activities.”