RagnarLocker

RagnarLocker operators function as a ransomware-as-a-service group that develops and deploys ransomware payloads to compromise corporate networks, encrypt critical systems and file shares, and exfiltrate sensitive data for extortion purposes. Their core activity involves gaining initial access through exploited vulnerabilities, maintaining persistence, and then executing encryption while threatening to publish or auction stolen information unless a ransom is paid. They typically engage victims via secure live chat channels to negotiate payment and demonstrate the seriousness of their threats by releasing proof of data theft. The group’s operations are oriented toward high‑value targets across various sectors, seeking financial gain through double‑extortion tactics.

The known incident against Dassault Falcon Jet Corp. on 7 December 2020 illustrates the group’s ability to infiltrate and remain undetected within a major aerospace manufacturer for more than six months before launching ransomware encryption. This case shows that RagnarLocker can successfully target organisations with substantial intellectual property and operational infrastructure, indicating a reach that extends beyond regional boundaries. While no explicit metrics on the group’s size, employee count, or annual revenue are provided, the demonstrated capability to compromise a large corporation suggests a notable footprint in the cybercrime landscape.

Distinguishing attributes of RagnarLocker include their specialization in prolonged dwell times, often exceeding half a year, which allows them to map networks and locate valuable data before encryption. They frequently exploit critical vulnerabilities as an entry point, underscoring a technical proficiency in vulnerability research and exploit development. The group’s use of a secure live chat for negotiation and their public emphasis on the robustness of the compromised security perimeter reflect a strategic approach to pressure victims into compliance. Additionally, their practice of threatening to auction or release stolen data exemplifies the double‑extortion model that has become a hallmark of modern ransomware operations.

Structurally, the organisation is headquartered in Russia, as indicated in the available context. No explicit information regarding ownership, parent‑company relationships, or subsidiary status is provided in the source material, so those details remain unspecified. Consequently, the profile is limited to the confirmed facts about their ransomware activities, observed behaviours, and known location.