Ragnar Locker's Extortion Website Seized

On October 20, 2023, Europol announced that authorities had seized Ragnar Locker's extortion and data leak website as part of an international law enforcement operation.

A day earlier, Bleeping Computer broke the news and confirmed the law enforcement operation did indeed occur, according to a Europol spokesperson. It was only the following day that Europol released an official statement.

Ragnar Locker's Extortion Website Seized

In the statement released by Europol, it was noted that the investigation led by the French National Gendarmerie, together with law enforcement authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States of America.

Not only was the extortion website used by Ragnar Locker affiliates to announce data leaks and communicate with the victims seized but arrests were also made. Europol stated,

In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

These arrests follow arrests made in September 2021 in relation to this investigation. Ragnar Locker began operations towards the end of 2019. The group's tactics and techniques were similar to those of other prominent ransomware gangs.

Once initial access was gained to a target network, threat actors would use various techniques to spread laterally across the now-compromised network.

Immediately after the data would be stolen and then the malware's encryption routine would be run. This would have the result of crippling the victim's IT infrastructure.

The stolen data would then be used in the now infamous double extortion technique that involves releasing stolen data to the public should the ransom not be paid.

Interestingly, Ragnar Locker cannot be considered a Ransomware-as-a-Service (RaaS), where the ransomware administrators would actively recruit affiliates outside the administrator's trusted inner circle.

While Ragnar Locker would not look for affiliates like other gangs adopting the RaaS model, Ragnar Locker members would partner with hackers who specialize in gaining initial access to targeted infrastructure and compromise networks.

It should also be noted that Ragnar Locker would sometimes only steal data for extortion purposes and not deploy an encryptor to compromise data.

Ragnar Locker and DarkAngels

For fans of Games Workshop's Warhammer 40,000, the words Ragnar and Dark Angels may have several favorable connotations. For infosec professionals, these words will have only negative connotations.

Following the release of Babuk Locker's source code to the public via an underground hacking forum, Ragnar Locker developers switched to using a VMware ESXi encryptor based on Babuk Locker's source code.

However, in a recent attack on building automation giant Johnson Controls, a new ransomware operation was seen using Ragnar Locker's older ESXi encryptor.

Following the attack, a Nextron Systems security researcher, Gameel Ali, posted a sample of the Linux ransomware used to encrypt ESXi server data, stating that it had been used in the attack against Johnson Controls.

Threat actors claimed to have stolen 27TB of data in the attack. Several publications attempted to contact the company for confirmation; however, little in the way of confirmation was received.

Johnson Controls released a public statement noting,

Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers.


The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate.


To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.


The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results. The Company’s investigation and remediation efforts are ongoing.

The DarkAngels ransomware gang began operation in May 2022. Like with Ragnar Locker, the gang breaches corporate networks and spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.

Despite the code similarities and similarities in tactics, it cannot be confirmed beyond a shadow of a doubt that a relationship exists between the two ransomware gangs.

It may be that DarkAngels operation is an offshoot of Ragnar Locker or a possible rebrand, seeing that law enforcement was closing in. Alternatively, threat actors could have bought the source code.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal