The Russian-speaking ransomware gangs, which are causing major damage with their attacks, suffered huge blows this week: two active groups suffered huge setbacks. Here you will find everything you need to know about the special events.
Hacktivists hack Russian cybercriminals
The hacktivist group “Ukrainian Cyber Alliance” has dealt a serious blow to the Russian-speaking ransomware gang Trigona: the tech-savvy hackers used a vulnerability in server software to hijack the cybercriminals’ darknet portal.
According to their own statements, the hacktivists unknowingly copied all stored data before deleting it. They then provided the homepage with a special “greeting” addressed to the Internet extortionists.
The darknet web addresses known in relevant circles with the abbreviation “.onion” have recently become no longer accessible via the anonymization network Tor.
Trigona is one of the gangs whose business model is known as ‘Ransomware as a Service’ (RaaS). The cybercriminals offered their IT infrastructure to third parties for a fee to hack and extort victims.
The encryption software of the same name has been known since June 2022. It was a relatively young gang, although it cannot be ruled out that the members of the gang were also active under other names.
According to the information on the darknet site, most of the affected companies were from the US, but several organizations in Europe were also hacked and pilloried for not paying up. Watson knows nothing yet about the Swiss victims of Trigona.
The pro-Ukrainian hacktivists told X that they initially wanted to evaluate the ransomware gang’s data themselves. According to Bleeping Computer, they could then be passed on to law enforcement agencies.
The allegedly stolen data includes the developer environment including malware source code, cryptocurrency accounts and database entries, a member of the Ukrainian Cyber Alliance told X.
The hacked cybercriminals must have been deeply shocked: when they finally noticed the intrusions into their IT system, they desperately tried to change the passwords. Without success.
A message confirming the attack has now been published on a Russian hacker forum. The Trigona administrator claims that the gang will have a new infrastructure up and running within a few days.
And that brings us to another, even more dangerous ransomware gang that suffered a devastating setback this week…
Researchers paralyze Ragnar Locker’s infrastructure
The darknet infrastructure of Russian-speaking ransomware gang Ragnar Locker has been seized as part of an international law enforcement operation and a key individual believed responsible has been arrested by police, Europol announced on Friday.
According to a Europol statement, searches were carried out in a coordinated operation in the Czech Republic, Spain and Latvia between October 16 and 20. The ‘main target’, an IT developer, was arrested in Paris, France, and his apartment in the Czech Republic was searched. In the following days, five suspects were also interrogated by investigators in Spain and Latvia.
The infrastructure of the ransomware gang was also seized in the Netherlands, Germany and Sweden and in Sweden the associated Tor website was closed for the data breaches.
This international raid is “the result of complex investigations” carried out by the French Gendarmerie in collaboration with law enforcement agencies from Germany, Italy, Japan, Latvia, the Netherlands, Sweden, Spain, Ukraine, the Czech Republic and the US.
Already in October 2021, investigators from the French Gendarmerie and the American Federal Police FBI were sent to Ukraine with specialists from Europol and Interpol. According to the statement, they conducted an investigation with the Ukrainian National Police that led to the arrest of two prominent Ragnar Locker operators. The investigation has continued since then and led to the arrests and seizures this week.
What made Ragnar Locker so dangerous?
Ragnar Locker is considered one of the longest active ransomware gangs in the world. Since 2019, the group has made a name for itself with cyber attacks on critical infrastructure operating companies and is considered a pioneer in the field of so-called ‘big game hunting’: this means that the cyber criminals prefer to target large, solvent companies trap and steal valuable data.
The hackers used their attack tools to attack computers running Microsoft Windows operating systems and generally used online services such as the “Remote Desktop Protocol” to gain access to systems.
By the time the leak site was closed, Ragnar Locker had more than 100 victims listed there, as IT security firm CrowdStrike wrote in a statement.
According to the FBI, more than fifty organizations in critical economic sectors were hit by Ragnar Locker cyber attacks between April 2020 and March 2022 alone, including major energy supplier Energias de Portugal (EDP) and Portuguese airline TAP, the FBI’s US subsidiary. French aerospace company Dassault Aviation and French shipping and logistics company CMA CGM, as well as a major Israeli hospital and Greece’s national natural gas operator.
Sources
- europol.europa.eu: Rannar Locker ransomware gang taken out by international police attack
- bleepingcomputer.com: The dark web extortion sites of the Ragnar Locker ransomware have been seized by police
- bleepingcomputer.com: Ukrainian activists hack Trigona ransomware gang and wipe servers
- twitter.com: Topic by user herm1t
- twitter.com: Posted by AzAl Security
- cybereason.com: Ragnar Locker ransomware targeting the energy sector
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
