{ "id": "1e931f8a-8718-4504-8ac1-a927999cf5d3", "created_at": "2026-04-06T00:20:18.385691Z", "updated_at": "2026-04-10T13:12:41.083324Z", "deleted_at": null, "sha1_hash": "b21e84849cf670e2dbc3b2fcb8bf357b390ea66c", "title": "Ragnar Locker ransomware\u0026rsquo;s dark web extortion sites seized by police", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4117174, "plain_text": "Ragnar Locker ransomware\u0026rsquo;s dark web extortion sites seized by\r\npolice\r\nBy Lawrence Abrams\r\nPublished: 2023-10-19 · Archived: 2026-04-05 23:49:45 UTC\r\nThe Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thursday morning as part of an\r\ninternational law enforcement operation.\r\nBleepingComputer has confirmed that visiting either website now displays a seizure message stating that a large assortment\r\nof international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic,\r\nand Latvia were involved in the operation.\r\n\"This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group,\" reads the\r\nmessage.\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA Europol spokesperson has confirmed the seizure message is legitimate as part of an ongoing action targeting the Ragnar\r\nLocker ransomware gang and that a press release will be published tomorrow. The FBI declined to comment.\r\nRagnar Locker Tor negotiation site seized by law enforcement\r\nSource: BleepingComputer\r\nWho is Ragnar Locker\r\nRagnar Locker (aka Ragnar_Locker and RagnarLocker) is one of the longest-running ransomware operations at this time,\r\nlaunching at the end of 2019 as they began targeting the enterprise.\r\nLike other ransomware operations, Ragnar Locker would breach corporate networks, spread laterally to other devices while\r\nharvesting data, and then encrypt the computers on the network.\r\nThe encrypted files and stolen data were used as leverage in double-extortion schemes to pressure a victim to pay.\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nPage 3 of 5\n\nRangarLocker ransom note for Capcom\r\nSource: BleepingComputer\r\nHowever, unlike most modern operations, Ragnar Locker was not considered a Ransomware-as-a-Service that actively\r\nrecruited outside affiliates to breach networks and deploy the ransomware, earning a revenue share in the process.\r\nInstead, Ragnar Locker was semi-private, meaning they did not actively promote their operation to recruit affiliates but\r\nworked with outside pentesters to breach networks.\r\nThe ransomware gang also conducts pure data theft attacks rather than deploying an encryptor, using their data leak site to\r\nextort the victim.\r\nAccording to cybersecurity researcher MalwareHunterTeam, RagnarLocker has more recently switched to using a VMware\r\nESXi encryptor based off of Babuk's leaked source code.\r\nHowever, a new ransomware operation named DarkAngels was seen utilizing Ragnar Locker's original ESXi encryptor in an\r\nattack on Industrial giant Johnson Controls.\r\nIt is unclear if this new operation is an offshoot of Ragnar Locker, or a rebrand, or if they bought the source code.\r\nThe ransomware operation is responsible for numerous high-profile attacks over the years, including Energias de Portugal\r\n(EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium.\r\nIt has been a bad week for ransomware operations and a win for law enforcement and cybersecurity. In addition to the\r\nRagnarLocker seizure, the Ukrainian Cyber Alliance (UCA) hacked the Trigona Ransomware operation and retrieved data\r\nbefore wiping their servers.\r\nUCA says they will share the ransomware gang's data with law enforcement.\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nhttps://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police/" ], "report_names": [ "ragnar-locker-ransomwares-dark-web-extortion-sites-seized-by-police" ], "threat_actors": [ { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b21e84849cf670e2dbc3b2fcb8bf357b390ea66c.pdf", "text": "https://archive.orkl.eu/b21e84849cf670e2dbc3b2fcb8bf357b390ea66c.txt", "img": "https://archive.orkl.eu/b21e84849cf670e2dbc3b2fcb8bf357b390ea66c.jpg" } }