The Ragnar Locker ransomware group is “likely to rebrand” despite being taken down by law enforcement agencies, security experts have warned.
The ransomware group’s operations were disrupted as part of a sting led by Europol this week which saw its dark web data leak portal shut down.
Users visiting the dark web portal are now met with a message claiming the service has been “seized as part of a coordinated law enforcement action”.
The cyber criminal gang is the latest in a recent flurry of groups targeted by law enforcement agencies on both sides of the Atlantic.
But Doel Santos, principal threat researcher at Palo Alto Networks’ Unit 42 threat intelligence division, warned that while the take down should be welcomed, the long-term impact on the group could be minimal.
“These takedowns are a tremendous win for law enforcement and the industry and will likely deter activity. However, without arrests, it's likely that we will see the group rebrand in time.”
Santos said Unit 42 has been tracking the Ragnar Locker group since mid-2021, adding that it’s one of the ransomware groups threatening organizations globally.
The Russian-linked gang has claimed over 50 victims in the last two years, and has typically targeted organizations operating in the retail, manufacturing, healthcare, and technology sectors, Santos said.
Games publisher Capcom and Italian drinks giant Campari are among the notable victims claimed by Ragnar Locker.
Ragnar Locker is one of several groups to employ ‘double extortion’ ransomware techniques, whereby attackers breach corporate networks, encrypt stolen data, and also demand a ransom payment.
The practice has given threat actors additional leverage when forcing victims to comply with demands.
Not quite down and out
If Ragnar Locker does return under a rebranded guise, the group will be another in a growing list of cyber criminal operations to swerve law enforcement crackdowns in some capacity.
PowerEdge - Cyber resilient infrastructure for a Zero Trust world
Discover principles that will create an effective data security strategy
Researchers at Cisco Talos recently warned that Qakbot-affiliated hackers still remain a “pervasive threat” despite a takedown that disrupted its infrastructure.
Infrastructure assets used by the botnet were seized in an FBI-led operation in August 2023, but Talos revealed that organizations should still remain wary of lingering threats.
The Trickbot and Emotet botnets were both shut down by law enforcement operations in 2020 and 2021 respectively. However, the latter of these quickly re-established itself and continued to pose a major threat.
A "clear message" from law enforcement
The recent takedown does send a strong message to cyber criminal groups according to Raj Samani, SVP and chief scientist at Rapid7.
Samani commended law enforcement for its work taking down RagnarLocker,, adding cyber criminals could grow wary of the increasingly close-knit coordination between authorities.
“The seizure of Ragnar Locker’s dark web site could not have been an easy feat – it takes a copious amount of time, effort and resources from several nations,” he said.
“This effort, along with the shutdown of PIILOPOTUI marketplace and Genesis Market earlier in the year, sends out a clear message that actions have consequences and something is being done when victims report cyber crime.
“It’s great to see the recent momentum gaining in shutting down these criminal markets. The benefits of cross-collaboration are clearly being seen – international agencies working together will stop cyber crime.”
