# RagnarLocker > Mediated Wiki article. Canonical URL: https://mediated.wiki/source/RagnarLocker > Markdown URL: https://mediated.wiki/source/RagnarLocker.md > Source: https://en.wikipedia.org/wiki/RagnarLocker > Source revision: 1351136821 > License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/) Criminal hacking organization RagnarLocker Abbreviation Ragnar Locker Formation December 2019 Type Hacking Purpose Extortion **RagnarLocker** (sometimes written "**Ragnar Locker**") is a [ransomware](/source/Ransomware) [hacker group](/source/Hacker_group) which uses [virtual machine escape](/source/Virtual_machine_escape) techniques to encrypt victim's system files. It first surfaced in December 2019.[1] ## History First appearing at the end of 2019, (likely originating from [Eastern Europe](/source/Eastern_Europe) considering that it does not attack computers in former [USSR](/source/Soviet_Union) countries,)[2] it carried out its first major attack on the Portuguese electric company [Energias de Portugal](/source/EDP_Group),[3] where it demanded a ransom of 10.9 million dollars and threatened to leak 10 [terabytes](/source/Byte) of data. During 2022, it also attacked video game company [Capcom](/source/Capcom), and the beverage company [Campari](/source/Campari_Group).[4][5][6] ## Function **Ragnar Locker** operates by using an eponymously named malware called **RagnarLocker**.[7] First, the [dropper](/source/Dropper_(malware)) (usually delivered through a vulnerability in [Remote Desktop Protocol](/source/Remote_Desktop_Protocol)) checks the [operating system](/source/Operating_system). If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of [system files](/source/System_file) to its central server and then downloads a package containing a version of [VirtualBox](/source/VirtualBox) configured to display the host computer and an image of [Windows XP](/source/Windows_XP) that contains the malware, which itself is only about 49 kB in size.[8] The dropper, after disabling security-related services or services that could keep logs active (like [DBMS](/source/Database) software), launches the virtual machine and the ransomware via a [batch script](/source/Batch_file). The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.[8] At the end of the process, a personalized [ransom note](/source/Ransom) is left behind on the victim's computer.[9] ## Arrests Between the days of October 16 and 20, 2023, [Europol](/source/Europol) and [Eurojust](/source/Eurojust) conducted a series of seizures and arrests in [Czechia](/source/Czech_Republic), [Spain](/source/Spain) and [Latvia](/source/Latvia) in response to RagnarLockers criminal activity.[10] On October 20, an alleged main suspect and developer, had been brought in front of examining [magistrates](/source/Magistrate) of the [Paris Judicial Court.](/source/Tribunal_de_Paris)[10] The ransomware's infrastructure was also seized in the [Netherlands](/source/Netherlands), [Germany](/source/Germany) and [Sweden](/source/Sweden) and the associated data leak website on [Tor](/source/Tor_(network)) was taken down in Sweden.[10] ## References 1. **[^](#cite_ref-1)** ["Ragnar Locker ransomware developer arrested in France"](https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/). *BleepingComputer*. 1. **[^](#cite_ref-2)** ["THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector"](https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true#:~:text=The%20first%20activity,Independent%20States%20CIS:). *cybereason.com*. 1. **[^](#cite_ref-3)** TRUȚĂ, Filip. ["Portuguese Energy Company Hit with Ragnar Locker Ransomware; Attackers Demand $10 Million to Decrypt the Data"](https://www.bitdefender.com/en-us/blog/hotforsecurity/portuguese-energy-company-hit-with-ragnar-locker-ransomware-attackers-demand-10-million-to-decrypt-the-data). *Hot for Security*. 1. **[^](#cite_ref-4)** ["4th Update Regarding Data Security IncidentDue to Unauthorized Access: Investigation Results"](https://www.capcom.co.jp/ir/english/news/html/e210413.html). *www.capcom.co.jp* (Press release). 1. **[^](#cite_ref-5)** ["Malware attack: data security update"](https://www.camparigroup.com/sites/default/files/downloads/20201106_Campari%20Group%20Press%20Release_ENG_Final.pdf) (PDF) (Press release). Campari Group. 1. **[^](#cite_ref-6)** CLULEY, Graham. ["Campari staggers to its feet following $15 million Ragnar Locker ransomware attack"](https://www.bitdefender.com/en-us/blog/hotforsecurity/campari-staggers-to-its-feet-following-15-million-ragnar-locker-ransomware-attack). *Hot for Security*. 1. **[^](#cite_ref-7)** ["Europol: 'Key target' in Ragnar Locker ransomware operation arrested in Paris"](https://therecord.media/rangar-locker-ransomware-arrest-paris#:~:text=Europol+said+Ragnar+Locker+is+both+the+name+of+the+ransomware+strain+and+the+criminal+group+that+developed+and+operated+the+malware). *therecord.media*. 1. ^ [***a***](#cite_ref-auto_8-0) [***b***](#cite_ref-auto_8-1) ["The ransomware that attacks you from inside a virtual machine"](https://news.sophos.com/en-us/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/). Sophos. May 22, 2020. 1. **[^](#cite_ref-9)** ["THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector"](https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true#:~:text=Following+the+machine+encryption,+Ragnar+Locker+creates+a+notepad.exe+process+that+presents+the+ransom+note+to+the+user%E2%80%99s+screen+with+the+ransom+and+payment+information). *cybereason.com*. 1. ^ [***a***](#cite_ref-auto1_10-0) [***b***](#cite_ref-auto1_10-1) [***c***](#cite_ref-auto1_10-2) ["Ragnar Locker ransomware gang taken down by international police swoop"](https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop). *Europol* (Press release). --- Adapted from the Wikipedia article [RagnarLocker](https://en.wikipedia.org/wiki/RagnarLocker) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/RagnarLocker?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.