Cyber Incident Victim: RagnarLocker
Date:
Dec 2020
Location:
United States of America
Summary
Ragnar Locker operators breached Dassault Falcon Jet Corp.'s systems after exploiting a critical vulnerability, remaining undetected for over six months before executing ransomware encryption targeting critical servers and file shares. The attackers exfiltrated sensitive data, including development documentation for new Falcon jets, threatening to auction or publicly release it unless contacted via their secure live chat. Despite the victim's initial lack of public acknowledgment, the group emphasized the robustness of the compromised security perimeter while demanding negotiations to prevent data disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Ragnar Locker ransomware group claimed responsibility for a cyberattack against Dassault Falcon Jet Corp., first detected on December 7, 2020. Attackers privately disclosed to journalists that they had maintained unauthorized access to the company’s systems for over six months prior to deploying ransomware. Initial compromise reportedly occurred via exploitation of a Citrix vulnerability (referred to as "Shitrix" in communications) identified in late March 2020 through specialized search engine Onyphe. Despite acknowledging Dassault’s "very robust security perimeter," operators asserted they successfully bypassed these controls. The ransomware activation at 7:00 AM on December 7 encrypted all critical servers and file shares. Attackers emphasized their prolonged reconnaissance efforts, stating they had collected sensitive data and threatened publication unless contacted through their secured live chat platform.
Following the encryption event, Ragnar Locker operators publicly escalated pressure by publishing a direct appeal to Dassault on their leak site, threatening to auction proprietary Falcon jet development documents—specifically referencing the newly unveiled Falcon 6X aircraft—or sell data to third parties. The group warned that failure to negotiate would result in full data disclosure. Dassault Falcon Jet Corp.’s initial public response was contradictory: a spokesperson contacted by phone claimed unawareness of the incident while noting normal email and website functionality, but referred inquiries to unresponsive communication leadership. Attackers reiterated their six-month dwell time and data exfiltration claims as leverage, framing the intrusion as extensively researched. The company’s parent entity, Dassault Aviation, clarified through its communication director that the incident solely impacted Dassault Falcon Jet Corp., distancing itself from responsibility for public statements. No containment measures, ransom payments, or data recovery outcomes were disclosed in available communications.