ragnarlocker
Group profile
Ragnar Locker was an elite ransomware group active from December 2019 to October 2023 that targeted large enterprises and critical infrastructure — including Capcom and Campari — claiming at least 168 victims before being taken down by a Europol-led international law enforcement operation in October 2023.
MITRE ATT&CK TTPs
Initial Access
Execution
T1059.001Command and Scripting Interpreter: PowerShell
PowerShell used for payload deployment and post-exploitation commands.
Defense Evasion
T1497.001Virtualization/Sandbox Evasion: System Checks
Ragnar Locker notably deployed its ransomware payload inside a VirtualBox Windows XP virtual machine to evade host-based security tools that could not inspect the VM's activity.
T1562.001Disable or Modify Tools
Security tools including managed service provider (MSP) remote management agents terminated to prevent remote remediation.
Credential Access
T1003OS Credential Dumping
Credential dumping tools used to harvest domain and local account credentials.
Discovery
Lateral Movement
T1021.001Remote Services: Remote Desktop Protocol
RDP leveraged for lateral movement across victim environments.
Exfiltration
T1567Exfiltration Over Web Service
Data exfiltrated to actor-controlled infrastructure ahead of encryption for double extortion via the Ragnar Locker leak site.
Command and Control
T1071.001Application Layer Protocol: Web Protocols
Cobalt Strike used for C2 over HTTPS.
Impact
T1486Data Encrypted for Impact
Ragnar Locker uses Salsa20 for file encryption with RSA-2048 for key protection. Unique technique of deploying payload inside a VirtualBox VM to bypass endpoint security. Active 2020-2023; key infrastructure seized by Europol/FBI in October 2023.
T1490Inhibit System Recovery
Volume Shadow Copies deleted; Windows recovery environment disabled.
Recent victims
showing 50 of 128| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2023-10-11 | S Scotbeef Ltd. - Leaks | Agriculture and Food Production | |
| 2023-10-11 | E Eicon Controle Inteligentes | Manufacturing | |
| 2023-10-06 | I International Presence Ltd - Leaked | Not Found | |
| 2023-10-05 |  Learning Partnership West - Leakedlpw.org.uk | Education | GB |
| 2023-10-03 | G Groupe Fructa Partner - Leaked | Agriculture and Food Production | |
| 2023-09-30 | N Network Pacific Real Estate - Leak | Not Found | |
| 2023-09-30 | A Astre - Leaked | Not Found | |
| 2023-09-25 | S Stratesys Full data leak | Technology | |
| 2023-09-22 | A Announcement: COMECA Group going to be Leaked | Not Found | |
| 2023-09-22 | A Announcement: Skatax Accounting company going to be leaked | Not Found | |
| 2023-09-22 | R Retail House - Full Leak | Not Found | |
| 2023-09-21 |  Announcement: Stratesys solutions going to be leakedstratesysgroup.com | Not Found | |
| 2023-09-21 | Announcement: Stratesys solutions going to bstratesysgroup.com | Not Found | |
| 2023-09-19 | A Announcement: Groupe Fructa Partner will be leaked soon | Agriculture and Food Production | |
| 2023-09-17 | C CITIZEN company LEAKED | Not Found | |
| 2023-09-17 | A Announcement: Retail House going to be LEAKED | Consumer Services | |
| 2023-09-15 | U Updates: Israel "MYMC" | Not Found | |
| 2023-09-06 | I Israel Medical Center - leaked | Healthcare | |
| 2023-09-02 | D DOIT - Canadian IT company allowed leak of its own clients. | Technology | |
| 2023-08-08 | B Batesville didn't react on appeal and allows Full Leak | Manufacturing | |
| 2023-07-31 | B Batesville Tool & Die, Inc will be leaked in 3 Days | Manufacturing | |
| 2023-07-10 |  Belize Electricity Limited - Leakedbel.com.bz | Energy | BZ |
| 2023-07-05 | P Portugal Scotturb Data Leaked | Transportation/Logistics | |
| 2023-05-28 | A Australian Universal Crane Leak | Construction | |
| 2023-05-18 | A Autlan Metallorum, Mexican Miner Leak | Energy | |
| 2023-04-25 |  CANTALK, Canadian translation services - Leakcantalk.com | Business Services | |
| 2023-03-29 | P Public Appeal to the CANTALK management | Not Found | |
| 2023-03-10 | T Temporary Leak Page #0013995NTa | Not Found | |
| 2023-03-03 | N New Leak in lawyers company AASP. | Business Services | |
| 2023-03-03 | N New Leak in lawyers company. | Business Services | |
| 2023-02-22 | A AASP claim there was no data leakage! | Not Found | |
| 2022-12-28 | H Hundred thousands of personal data, leak preview | Healthcare | |
| 2022-12-20 | W Wrapex Industrial - Leaked | Manufacturing | |
| 2022-12-20 | S Serena Hotels - Leaked | Hospitality and Tourism | |
| 2022-12-13 | I ITONCLOUD - LEAKED | Not Found | |
| 2022-11-25 | E Essent company - Leaked | Energy | |
| 2022-11-22 | L Leak Announcement - IT company ITonCLOUD | Technology | |
| 2022-11-16 | B Belgium company Zwijndrecht - Leaked | Not Found | |
| 2022-10-27 | D DURAVIT A.G. - Announcement before publishing data | Manufacturing | |
| 2022-10-19 | D Dollmar SpA - Leaked | Manufacturing | |
| 2022-10-18 | D DIPF-INTERN - Leaked | Education | |
| 2022-10-13 | F Fashion company ZIGI NY - Leaked | Consumer Services | |
| 2022-10-10 | D DMCI Holding Leaked | Not Found | |
| 2022-10-10 | T TANG CAPITAL LEAKED | Financial Services | |
| 2022-10-05 | A Avalon luxury transport company - Leaked | Transportation/Logistics | |
| 2022-10-03 | A AudioQuest Data Leaked | Manufacturing | |
| 2022-10-03 | M Malayan Flour Mills Bhd. Data Leak | Agriculture and Food Production | |
| 2022-09-19 | W Who is the real Bad Guys here? Or what recovery experts prefer to keep silent. | Not Found | |
| 2022-09-19 | T TAP Air Leak of more than 1.5 million of customers and many other. | Hospitality and Tourism | |
| 2022-09-12 | T TAP AIR PORTUGAL - 115k personal data leak | Transportation/Logistics |