Cyber Threat Actor: Ragnar Locker
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
31 incidents |
|---|
Profile
Ragnar Locker, also tracked as Ragnar_Locker and Ragnar Locker Team, is a ransomware group that has been observed since late 2019 and is associated with actors based in Russia. The group has carried out attacks across a range of sectors including healthcare, transportation, energy, manufacturing, law enforcement and critical infrastructure, with victims reported in Italy, Belgium, Greece, Portugal, Japan, the United States and other countries. Their operations typically involve the theft of sensitive data before encryption, followed by extortion demands that threaten to publish the stolen information if a ransom is not paid, a tactic described as double extortion. Publicly reported incidents show the group targeting municipal services, hospitals, police units, gas operators, airlines and large corporations, indicating a focus on entities that hold valuable data and may be willing to pay to avoid disruption or reputational harm.
Technical details from analyses of their attacks reveal that Ragnar Locker gains initial access often through brute‑forced or compromised Remote Desktop Protocol credentials, then elevates privileges by exploiting vulnerabilities such as CVE‑2017‑0213 in the Windows COM Aggregate Marshaler. After privilege escalation, the operators sometimes deploy a customized VirtualBox virtual machine running a Windows XP image to evade security tools, delete shadow copies, disable detected antivirus programs and use PowerShell scripts to move laterally within the victim’s network. They exfiltrate files to servers under their control before deploying the ransomware payload, and they maintain a data leak site and a Tor‑based negotiation portal to communicate with victims and publish proof of stolen data. While the group’s activity has prompted FBI warnings about increased ransomware deployment since April 2020, no public attribution to a state sponsor or a larger criminal consortium has been established in the available sources. Representative campaigns include the 2022 attack on the Italian hospital Azienda Ospedaliera SS. Antonio e Biagio e Cesare Arrigo, the 2022 breach of a Belgian police unit via an exposed Citrix endpoint, the 2022 ransomware incident against the Greek national gas operator DESFA and the 2020 intrusion into Japanese game developer Capcom, all of which illustrate the group’s reliance on double extortion and the specific technical steps described above.
