An international law enforcement operation involving the U.S. Federal Bureau of Investigation, the European Union Agency for Law Enforcement Cooperation and various national police forces has seized data leak sites belonging to the Ragnar Locker ransomware gang.

As first reported today by Bleeping Computer, visits to Ragnar Locker’s main dark web leak site now shows a message stating that “this service has been seized as part of a coordinated international law enforcement action against the Ragnar Locker group. SiliconANGLE has confirmed that the message is on the site (pictured, adjacent).

A Europol spokesman confirmed that the seizure is legitimate and part of an ongoing action targeting the gang and that further information will be forthcoming soon. The FBI so far has declined to comment.

Ragnar Locker is a well-known double-tap ransomware gang, so-called because it both encrypts files and steals data, demanding a ransom payment for both a decryption key and a promise not to publish the stolen data. The gang has used varying methods over the years to target victims, including having previously taken to buying Facebook Inc. advertising to put pressure on its victims to pay up.

Victims of Ragnar Locker include Italian drinks maker Davide Campari-Milano S.p.A, French shipping giant CMA CGM S.A. in September 2020 and Japanese video game developer Capcom Co. Ltd.

Adam Meyers, head of Counter Adversary Operations at CrowdStrike Holdings Inc., told SiliconANGLE that it’s expected that the law enforcement agencies from the European Union, the U.S. and Japan will formally announce the seizure of Ragnar Locker’s dedicated leak site on Friday. CrowdStrike tracks Ragnar Locker as VIKING SPIDER.

“VIKING SPIDER is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a dedicated leak site to pressure victims,” Meyers explained. “In its period of activity, VIKING SPIDER posted over a hundred victims from 27 sectors to their DLS.”

Meyers added that “CrowdStrike Intelligence assesses that this operation will likely severely impact VIKING SPIDER operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”

Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., was a little more skeptical, commenting that although “on the surface this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these.”

Kron also warned that the sites being taken down could cause issues for organizations that have been affected by a Ragnar Locker ransomware attack but have now lost a method to negotiate with the bad actors.

“Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover,” Kron explained. “In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group.”

Images: SiliconANGLE, Ragnar Locker