Skip to Content

Ragnar Locker ransomware hacked

Updated on 2022-11-28: Ransomware Operators Leak Belgian Police Force Data

Ransomware operators who thought they were targeting a Belgian municipality in Antwerp instead stole from the Zwijndrecht police force in that city. The attackers leaked the data, which includes crime report files, investigation reports, traffic camera footage, and personnel information. The attackers reportedly leveraged an inadequately secured Citrix endpoint to gain access to the targeted network.


  • Talk about collateral damage. This is not the way to find out your endpoints are not properly secured. Take a look at your scan results making sure that findings (secure configurations, patching, end-of life, etc.) are being resolved according to your risk ratings, maybe make sure those risk scoring/ratings are still appropriate. Now, go look at all your external services, outsource, cloud, private cloud, etc. and have a clear understanding of who is on the hook for similar actions, then verify they are done within an acceptable level of risk. Make sure as much of this that can be automated is. Before going out to license new capabilities, check to see what is available/licensed which may not be fully utilized, if at all.
  • Human error, coupled with lack of configuration and patch management is often the root cause of successful ransomware attacks. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery for the Belgian police force.


Updated on 2022-11-27

The Ragnar Locker ransomware group started leaking the sensitive data it stole from the Zwijndrecht police force, Belgium. The threat actor even gained access to records dating back to 2006. Read more: Belgian Police Under Fire After Major Ransomware Leak

Updated on 2022-11-26: Zwijndrecht police ransomed

The Ragnar Locker ransomware gang has hacked and is now extorting the police department of the Belgian city of Zwijndrecht. The group claims to have obtained information detailing thousands of license plates, speeding fines, and even criminal investigations, ranging from 2006 to September 2022. Police officials said they detected the attempt to encrypt their servers and shut down their network for two weeks while they investigated and restored services. Ragnar Locker has already leaked some of the files on their dark web leak site. Read more: Een van de grootste datalekken bij politie ooit: hacker gooit flitsboetes, nummerplaten en zelfs foto’s van mishandelde kinderen op straat

Updated on September 2022

The Ragnar Locker group was found selling the stolen information, including name, nationality, sex, date of birth, address, contact details, of 1.5 million TAP Air Portugal customers on the dark web. Read more: Cyberattack Steals Passenger Data From Portuguese Airline

Updated on August 2022: Greek Natural Gas Company Hit with Cyberattack

A natural gas distribution company in Greece was the target of a cyberattack. The incident compromised some data and was responsible for an IT system outage. The Ragnar Locker ransomware group has claimed responsibility for the attack.


  • The attack impacted their online services, not their gas delivery (OT) systems. DESFA is taking a conservative approach of validating and restoring all non-OT IT services, rather than just known compromised systems, before bringing them back online. That is a scenario worth discussing at your next tabletop. While there is no such thing as perfect security, there are steps you can take, like these, to reduce the likelihood of recurrence.


Updated on March 2022: FBI Alert: RagnarLocker Ransomware

The FBI has published an FBI TLP:WHITE flash alert about RagnarLocker ransomware. According to the alert, the RagnarLocker ransomware group has targeted networks of at least 52 US critical infrastructure organizations. The alert includes technical details and indicators of compromise.


  • Make sure you have those IOCs incorporated into your threat detection platform. When reading the techniques, note the list of locations are where the ransomware doesn’t operate. Additionally, it is selective about what it encrypts, leaving the system deceptively operating. The bulletin includes mitigations, what information is needed to report an attack, as well as resources including the FBI and CISA local offices. The FBI is poised to help if you discover this stealthy malware on your network.


Updated on June 2021: Ransomware Operators Leak Data Stolen from ADATA

Data stolen from Taiwanese memory and storage manufacturer ADATA has reportedly been leaked online. ADATA’s network was the target of a ransomware attack in late May. The ransomware operators appear to have stolen at least 700GB of archived data. The service where the data were being hosted closed the ransomware operators’ account.


  • While the MEGA storage service has closed their account, the Ragnar operators still have the data and will find another location to distribute it. This raises the concerns about where your exfiltrated data could be located and who has copies, despite assurances from the operators it will be deleted upon receipt of payment. It may be simpler to operate on a model that exfiltrated data has been released publicly and to build your response plan from there.
  • Ransomware is nothing more than malware; what makes it so effective is how criminals monetize the infections. Originally, monetization was via targeting availability, but criminals then added the impact of exposing confidentiality, as they did here. Depending on your industry, one of these two is bound to have a significant impact to your organization, thus the rise in payments.

Read more in:

Updated on November 2020: Capcom Discloses Cyberattack

Video game developer Capcom has disclosed that some of its networks were hit with a cyberattack on November 2. In a press release, Capcom said “it has halted some operations of its internal networks.” The attack appears to have affected Capcom’s email system as well; a notice on the company’s website says that it is currently “unable to reply to inquiries and/or to fulfill requests for documents.“ Read more in:

Updated on August 2020: US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand

Corporate travel agency CWT, formerly known as Carlson Wagonlit Travel) has confirmed that its network was shut down due to a ransomware attack in late July. The company reportedly paid $4.5 million to regain access to its encrypted data. The strain of ransomware used in the attack appears to be Ragnar Locker. Read more in:

Updated on May 2020: Ransomware Deploys Virtual Machine to Evade Detection

Researchers from Sophos found that the RagnarLocker ransomware group is installing the Oracle VirtualBox app to run virtual machines (VMs) on targeted computers. The attackers use the VM to execute the ransomware and evade detection. The RagnarLocker operators choose their targets carefully, focusing exclusively on corporate and government networks.

Editor’s Note: The targets chosen are more likely to be running VirtualBox, so its presence alone is not necessarily a red flag. This attack installs an unsigned SunxVM VirtualBox MSI from 2009, which should trigger endpoint defenses. Unplanned disabling of backup and remote management utilities also merits follow-up. As this group is also known for exfiltrating data, expect threats of data disclosure to accompany ransom demands. Read more in:

Overview: European Energy Company Faces Ransomware Demand

Systems at European energy company Energias de Portugal (EDP) were hit with ransomware on Monday, April 13, 2020. The Lisbon-based company says it is working with authorities regarding the attack. The operators of the Ragnar Locker ransomware are threatening to publish or sell data stolen from the company if it does not pay the 1,580 bitcoin (€10.3 million, US $11.2 million) demand.

Note: It is very late to be seeing so many successful extortions based on weak cyber security. Raise the cost of attack against your systems and improve your resilience. The bad news is that you need to raise the cost of attack about ten-fold to be effective. The good news is that you are on the flat part of the security cost curve where you can get a big bang for your bucks. Lack of budget is not an excuse; there is always money for that which must be done. Ask for it over and over until you get it. That is called “your job.” Read more in:

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.