{ "id": "94b5b69b-fc34-471e-86ee-d583056fd2a4", "created_at": "2026-04-06T00:18:59.105944Z", "updated_at": "2026-04-10T13:12:18.373761Z", "deleted_at": null, "sha1_hash": "5acdefb207948c0681017210c2cd86a5f1647e62", "title": "Ragnar Locker ransomware developer arrested in France", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3219211, "plain_text": "Ragnar Locker ransomware developer arrested in France\r\nBy Sergiu Gatlan\r\nPublished: 2023-10-20 · Archived: 2026-04-05 18:48:37 UTC\r\nLaw enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the\r\ngroup's dark web sites in a joint international operation.\r\nThe Ragnar Locker ransomware gang is believed to have carried out attacks against 168 international companies globally\r\nsince 2020.\r\n\"The 'key target' of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia\r\nwas searched. Five suspects were interviewed in Spain and Latvia in the following days,\" Europol said today.\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought\r\nin front of the examining magistrates of the Paris Judicial Court.\"\r\nUkrainian police also raided the premises of another suspected gang member in Kyiv, seizing laptops, mobile phones, and\r\nelectronic devices.\r\nEurojust opened the case in May 2021 at the French authorities' request. The agency conducted five coordination meetings\r\nto facilitate judicial collaboration among authorities involved in the investigation.\r\nThis joint operation between authorities from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain,\r\nSweden, Japan, Canada, and the United States marks the third action against the same ransomware gang.\r\nIn September 2021, coordinated efforts involving French, Ukrainian, and US authorities led to the arrest of two suspects in\r\nUkraine.\r\nSubsequently, in October 2022, another suspect was apprehended in Canada through a joint operation conducted by French,\r\nCanadian, and US law enforcement agencies.\r\nDuring the coordinated operation, law enforcement agents also seized cryptocurrency assets and took down the Ragnar\r\nLocker's Tor negotiation and data leak sites on Thursday.\r\n\"Furthermore, nine servers were taken down; five in the Netherlands, two in Germany and two in Sweden,\" Europol said.\r\n\"This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group,\" a banner\r\ndisplayed on Ragnar Locker's data leak site reads.\r\nRagnar Locker seizure banner (BleepingComputer)\r\nAlongside the successful seizure of Ragnar Locker's infrastructure, the Ukrainian Cyber Alliance (UCA) hacked the Trigona\r\nRansomware operation, successfully retrieving data and wiping the cybercriminals' servers.\r\nThe Ragnar Locker (also known as Ragnar_Locker and RagnarLocker) ransomware operation surfaced in late December\r\n2019 when it started targeting enterprise victims worldwide.\r\nIn contrast to many modern ransomware gangs, Ragnar Locker did not operate as a Ransomware-as-a-Service, where\r\naffiliates are recruited to breach targets' networks and deploy the ransomware in exchange for a share of the revenue.\r\nInstead, Ragnar Locker operated semi-private, as they didn't actively recruit affiliates, choosing to collaborate with external\r\npenetration testers to breach networks.\r\nIts list of previous victims includes prominent entities such as computer chip manufacturer ADATA, aviation giant Dassault\r\nFalcon, and Japanese game maker Capcom.\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/\r\nPage 3 of 4\n\nAccording to a March 2022 FBI advisory, this ransomware has been deployed on the networks of at least 52 organizations\r\nacross various critical infrastructure sectors in the United States since April 2020.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/" ], "report_names": [ "ragnar-locker-ransomware-developer-arrested-in-france" ], "threat_actors": [ { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5acdefb207948c0681017210c2cd86a5f1647e62.pdf", "text": "https://archive.orkl.eu/5acdefb207948c0681017210c2cd86a5f1647e62.txt", "img": "https://archive.orkl.eu/5acdefb207948c0681017210c2cd86a5f1647e62.jpg" } }