{
	"id": "1405a5dc-c3f2-4f58-8c62-46c8367e62f0",
	"created_at": "2026-04-06T00:15:40.069352Z",
	"updated_at": "2026-04-10T03:20:00.937296Z",
	"deleted_at": null,
	"sha1_hash": "ee81f7fde8546ed31511bd40891b0f1789889126",
	"title": "Authorities confirm RagnarLocker ransomware taken down during international sting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1066198,
	"plain_text": "Authorities confirm RagnarLocker ransomware taken down\r\nduring international sting\r\nBy Carly Page\r\nPublished: 2023-10-20 · Archived: 2026-04-05 20:31:59 UTC\r\nAn international group of law enforcement agencies have disrupted the notorious RagnarLocker ransomware\r\noperation.\r\nTechCrunch reported Thursday that an international law enforcement operation involving agencies from the U.S.,\r\nEuropean Union and Japan had seized the RagnarLocker group’s dark web portal. The portal, which the gang used\r\nto extort its victims by publishing their stolen data, now reads: “This service has been seized by a part of a\r\ncoordinated international law enforcement action against the RagnarLocker group.”\r\nAnnouncing the takedown on Friday, Europol confirmed it took coordinated action against RagnarLocker, which\r\nit says was responsible for “numerous high-profile attacks.” The European police agency also confirmed the arrest\r\nof a 35-year-old man in Paris on October 16, who the authorities accuse of being the “main perpetrator” of the\r\noperation. Authorities searched the alleged RagnarLocker developer’s home in the Czech Republic. Alleged\r\nassociates of the developer were also interviewed in Spain and Latvia.\r\nRagnarLocker’s infrastructure was also seized in the Netherlands, Germany and Sweden. According to Eurojust,\r\nthe EU agency that coordinates criminal justice cooperation across the bloc, a total of nine servers were seized:\r\nfive in the Netherlands, two in Germany and two in Sweden. Eurojust also reports that it seized various\r\ncryptocurrencies, though their value is currently unknown.\r\nUkrainian authorities, who were part of the 11-country operation, said in a separate announcement on Friday that\r\nits officers searched the premises of another RagnarLocker suspect near Kiev, and recovered laptops, mobile\r\nphones and other electronic media.\r\nIn a press release, Italy’s Polizia di Stato (State Police) confirmed its involvement in the coordinated international\r\neffort, which it called “Operation Mole.” The Italian law enforcement agency also published a video that shows\r\nfootage from a raid conducted by French, Italian and Czech police agents, presumably in the house of the 35-year-old man they had arrested.\r\nRagnarLocker is both the name of a ransomware strain and the criminal group that develops and operates it. The\r\ngang, which some security experts have linked to Russia, has been observed targeting victims since 2020, and has\r\npredominantly attacked organizations in the critical infrastructure sectors.\r\nTechcrunch event\r\nSan Francisco, CA | October 13-15, 2026\r\nhttps://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1\r\nPage 1 of 3\n\nAuthorities raiding the home of the alleged developer behind the RagnarLocker ransomware. Image\r\nCredits: Polizia di Stato (opens in a new window)\r\nIn an alert published last year, the FBI warned that it had identified at least 52 U.S. entities across 10 critical\r\ninfrastructure sectors, including manufacturing, energy and government, that had been affected by RagnarLocker\r\nransomware. At the same time, the FBI released indicators of compromise associated with RagnarLocker,\r\nincluding Bitcoin addresses used to collect ransom demands, and email addresses used by the gang’s operators.\r\nIn its announcement on Friday, Ukraine’s police said that since 2020 the RagnarLocker group had attacked and\r\nexfiltrated data from 168 international companies in Europe and the United States. The group demanded between\r\n$5 and $70 million dollars in cryptocurrency from its victims.\r\nIf a victim refused to pay or notified law enforcement of the intrusion, the hackers would publish the victim’s data\r\non the group’s since-seized dark web site.\r\n“Ragnar Locker explicitly warned their victims against contacting law enforcement, threatening to publish all the\r\nstolen data of victimised organisations seeking help on its dark web ‘Wall of Shame’ leak site,” Europol said on\r\nFriday. “Little did they know that law enforcement was closing in on them.”\r\nAlthough the gang has been under the watchful eye of law enforcement for some time, RagnarLocker has been\r\ntargeting victims as recently as this month, according to ransomware tracker Ransomwatch. In September, the\r\ngang claimed responsibility for an attack on Israel’s Mayanei Hayeshua hospital and threatened to leak more than\r\na terabyte of data allegedly stolen during the incident.\r\nLorenzo Franceschi-Bicchierai contributed reporting and writing. This article was first published on October 19,\r\nand updated with new details and comment from Europol and Italy’s Polizia di Stato (State Police).\r\nCarly Page was a Senior Reporter at TechCrunch, where she covered the cybersecurity beat. Prior to that, she had\r\nspent more than a decade in the technology industry, writing for titles including Forbes, TechRadar and WIRED.\r\nYou can contact Carly securely on Signal at +441536 853956\r\nView Bio\r\nhttps://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1\r\nPage 2 of 3\n\nSource: https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1\r\nhttps://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1"
	],
	"report_names": [
		"?guccounter=1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434540,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee81f7fde8546ed31511bd40891b0f1789889126.pdf",
		"text": "https://archive.orkl.eu/ee81f7fde8546ed31511bd40891b0f1789889126.txt",
		"img": "https://archive.orkl.eu/ee81f7fde8546ed31511bd40891b0f1789889126.jpg"
	}
}