Menu
Browse

Cyber Threat Actor: Ragnarok

Actor Type Location Known Incidents
 Icon
Criminal
China
2 incidents
Profile

Ragnarokis a threat actor known by the alias Ragnarok and, according to the available information, operates from China. The actor has been observed conducting ransomware operations that target organizations in Italy, specifically affecting the healthcare sector and the fashion retail industry. In the healthcare incident, a medical laboratory in Cagliari had its online report authorizations, laboratory documents, Covid‑19 related regulatory references, and quality control records linked to a university hospital compromised, with the attackers providing screenshots of file directories and non‑functional download links as proof of the breach. In the fashion sector incident, the premium menswear brand Boggi Milano experienced a ransomware intrusion that allegedly resulted in the exfiltration of approximately 40 GB of data. These activities indicate a financially motivated strategy centered on encrypting data and threatening its release unless a ransom is paid, a pattern consistent with double‑extortion ransomware tactics. The actor’s tooling appears to involve the deployment of ransomware capable of both encrypting files and stealing sensitive information prior to encryption, as evidenced by the claimed data theft and the provision of proof‑of‑access screenshots.

Attribution to Ragnarok is primarily based on the consistent use of the alias across the reported incidents and the geographic association with China, although no explicit links to state sponsorship or criminal consortia have been publicly established. The two highlighted campaigns—the 2025 attack on the Italian medical laboratory and the 2021 Boggi Milano intrusion—represent the actor’s most visible operations to date, demonstrating a focus on Italian entities across distinct industries. While the exact initial access vectors and specific malware variants employed remain unspecified in the sources, the recurring theme of ransomware deployment coupled with data exfiltration underscores a operational profile geared toward financial gain through extortion. The lack of public breach notifications from the victims, particularly in the healthcare case, has prompted inquiries regarding compliance with data protection regulations such as GDPR, highlighting the broader impact of the actor’s activities beyond the immediate technical compromise.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source