A day earlier, Bleeping Computer broke the news and confirmed the law enforcement operation did indeed occur, according to a Europol spokesperson. It was only the following day that Europol released an official statement.
In the statement released by Europol, it was noted that the investigation led by the French National Gendarmerie, together with law enforcement authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States of America.
Not only was the extortion website used by Ragnar Locker affiliates to announce data leaks and communicate with the victims seized but arrests were also made. Europol stated,
In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.
These arrests follow arrests made in September 2021 in relation to this investigation. Ragnar Locker began operations towards the end of 2019. The group's tactics and techniques were similar to those of other prominent ransomware gangs.
Once initial access was gained to a target network, threat actors would use various techniques to spread laterally across the now-compromised network.
Immediately after the data would be stolen and then the malware's encryption routine would be run. This would have the result of crippling the victim's IT infrastructure.
The stolen data would then be used in the now infamous double extortion technique that involves releasing stolen data to the public should the ransom not be paid.
Interestingly, Ragnar Locker cannot be considered a Ransomware-as-a-Service (RaaS), where the ransomware administrators would actively recruit affiliates outside the administrator's trusted inner circle.
While Ragnar Locker would not look for affiliates like other gangs adopting the RaaS model, Ragnar Locker members would partner with hackers who specialize in gaining initial access to targeted infrastructure and compromise networks.
It should also be noted that Ragnar Locker would sometimes only steal data for extortion purposes and not deploy an encryptor to compromise data.
Ragnar Locker and DarkAngels
For fans of Games Workshop's Warhammer 40,000, the words Ragnar and Dark Angels may have several favorable connotations. For infosec professionals, these words will have only negative connotations.
Following the release of Babuk Locker's source code to the public via an underground hacking forum, Ragnar Locker developers switched to using a VMware ESXi encryptor based on Babuk Locker's source code.
However, in a recent attack on building automation giant Johnson Controls, a new ransomware operation was seen using Ragnar Locker's older ESXi encryptor.
Following the attack, a Nextron Systems security researcher, Gameel Ali, posted a sample of the Linux ransomware used to encrypt ESXi server data, stating that it had been used in the attack against Johnson Controls.
Threat actors claimed to have stolen 27TB of data in the attack. Several publications attempted to contact the company for confirmation; however, little in the way of confirmation was received.
Johnson Controls released a public statement noting,
Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers.
The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate.
To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.
The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results. The Company’s investigation and remediation efforts are ongoing.
The DarkAngels ransomware gang began operation in May 2022. Like with Ragnar Locker, the gang breaches corporate networks and spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.
Despite the code similarities and similarities in tactics, it cannot be confirmed beyond a shadow of a doubt that a relationship exists between the two ransomware gangs.
It may be that DarkAngels operation is an offshoot of Ragnar Locker or a possible rebrand, seeing that law enforcement was closing in. Alternatively, threat actors could have bought the source code.