Skip to main content

Operator dossier

Ragnarlocker (also tracked as Ragnar Locker) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 128 public victims claimed by this operator between April 1, 2020 and October 11, 2023. **Overview:** Ragnarlocker is a financially motivated ransomware operation that emerged in April 2020, conducting targeted attacks against enterprise organizations across multiple sectors with a focus on maximizing profit through encryption and data theft extortion tactics. **Origin & Affiliation:** The group's country of origin remains unclear based on publicly available intelligence, though they operate as an independent ransomware family rather than offering Ransomware-as-a-Service capabilities to other criminal actors. **Attack Methodology:** Ragnarlocker operators typically gain initial access through compromised Remote Desktop Protocol credentials, phishing campaigns, and exploitation of public-facing applications, subsequently deploying their custom ransomware payload that employs strong encryption algorithms. The group practices double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish stolen information on dedicated leak sites if ransom demands are not met, often targeting network shares and attempting to delete shadow copies to prevent recovery. **Notable Campaigns:** The group has successfully compromised 128 documented victims across multiple countries, with significant targeting of critical infrastructure sectors including energy, finance, and telecommunications organizations, though specific high-profile incidents and ransom amounts have not been widely disclosed in public threat intelligence reports. **Current Status:** Based on available public reporting, Ragnarlocker remains an active threat as of recent security advisories, continuing to target organizations primarily in the United States and Europe.

Most-targeted sectors

Most-affected countries

Recent disclosures by Ragnarlocker

All 128 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Ragnarlocker

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Ragnarlocker

aka Ragnar Locker · 128 victims indexed · first seen 6 years ago · last activity 3 years ago

128
Victims indexed
#62 of 364 tracked operators
3y 6m
Active period
Apr 2020 → Oct 2023
7
Countries hit
top United States · 10

At a glance

Status
inactive
Aliases
Ragnar Locker
First seen
6 years ago
Last activity
3 years ago
Onion sites
5 known endpoints
Primary sector
Finance · 5 hits

About

**Overview:** Ragnarlocker is a financially motivated ransomware operation that emerged in April 2020, conducting targeted attacks against enterprise organizations across multiple sectors with a focus on maximizing profit through encryption and data theft extortion tactics. **Origin & Affiliation:** The group's country of origin remains unclear based on publicly available intelligence, though they operate as an independent ransomware family rather than offering Ransomware-as-a-Service capabilities to other criminal actors. **Attack Methodology:** Ragnarlocker operators typically gain initial access through compromised Remote Desktop Protocol credentials, phishing campaigns, and exploitation of public-facing applications, subsequently deploying their custom ransomware payload that employs strong encryption algorithms. The group practices double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish stolen information on dedicated leak sites if ransom demands are not met, often targeting network shares and attempting to delete shadow copies to prevent recovery. **Notable Campaigns:** The group has successfully compromised 128 documented victims across multiple countries, with significant targeting of critical infrastructure sectors including energy, finance, and telecommunications organizations, though specific high-profile incidents and ransom amounts have not been widely disclosed in public threat intelligence reports. **Current Status:** Based on available public reporting, Ragnarlocker remains an active threat as of recent security advisories, continuing to target organizations primarily in the United States and Europe.

References

51 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2021-09-01T00:00:00+00:00 · 32021-10-01T00:00:00+00:00 · 22021-11-01T00:00:00+00:00 · 12021-12-01T00:00:00+00:00 · 52022-01-01T00:00:00+00:00 · 22022-02-01T00:00:00+00:00 · 12022-03-01T00:00:00+00:00 · 22022-04-01T00:00:00+00:00 · 22022-05-01T00:00:00+00:00 · 22022-06-01T00:00:00+00:00 · 42022-07-01T00:00:00+00:00 · 22022-08-01T00:00:00+00:00 · 72022-09-01T00:00:00+00:00 · 52022-10-01T00:00:00+00:00 · 92022-11-01T00:00:00+00:00 · 32022-12-01T00:00:00+00:00 · 42023-02-01T00:00:00+00:00 · 12023-03-01T00:00:00+00:00 · 42023-04-01T00:00:00+00:00 · 12023-05-01T00:00:00+00:00 · 22023-07-01T00:00:00+00:00 · 32023-08-01T00:00:00+00:00 · 12023-09-01T00:00:00+00:00 · 142023-10-01T00:00:00+00:00 · 5
2021-09-01T00:00:00+00:002023-10-01T00:00:00+00:00

Top countries

🇺🇸 United States
10
🇬🇧 United Kingdom
6
🇫🇷 France
3
🇩🇪 Germany
2
🇮🇹 Italy
2
🇵🇹 Portugal
1
🇲🇾 Malaysia
1

Top sectors

Finance
5
Manufacturing
3
Retail
3
Telecommunications
3
Energy
2
Technology
2
Transportation
2
Education
1

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1562.001Disable or Modify Tools
  • T1083File and Directory Discovery
  • T1082System Information Discovery
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

5 known
  • http://p6o7m73ujalhgkiv.onion
  • http://ragnarnwvli32xnmwudsvhbl7klzmofxeylyhcqfc5ifx5mbybq3ekqd.onion
  • http://rgleak7op734elep.onion
  • http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion
  • http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Ragnarlocker posts a victim.

Add Ragnarlocker to your watchlist — Pro pings you within 5 minutes of any new Ragnarlocker leak-site post, Telegram callout, or affiliate-rebrand inference.