Disclosure context

About Ragnarlocker

**Overview:** Ragnarlocker is a financially motivated ransomware operation that emerged in April 2020, conducting targeted attacks against enterprise organizations across multiple sectors with a focus on maximizing profit through encryption and data theft extortion tactics. **Origin & Affiliation:** The group's country of origin remains unclear based on publicly available intelligence, though they operate as an independent ransomware family rather than offering Ransomware-as-a-Service capabilities to other criminal actors. **Attack Methodology:** Ragnarlocker operators typically gain initial access through compromised Remote Desktop Protocol credentials, phishing campaigns, and exploitation of public-facing applications, subsequently deploying their custom ransomware payload that employs strong encryption algorithms. The group practices double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish stolen information on dedicated leak sites if ransom demands are not met, often targeting network shares and attempting to delete shadow copies to prevent recovery. **Notable Campaigns:** The group has successfully compromised 128 documented victims across multiple countries, with significant targeting of critical infrastructure sectors including energy, finance, and telecommunications organizations, though specific high-profile incidents and ransom amounts have not been widely disclosed in public threat intelligence reports. **Current Status:** Based on available public reporting, Ragnarlocker remains an active threat as of recent security advisories, continuing to target organizations primarily in the United States and Europe. The group has been linked to 128 public disclosures across our corpus. First observed on a leak site on April 1, 2020; most recent post October 11, 2023. The operation is currently inactive.

Also tracked as: Ragnar Locker.

Timeline of this disclosure

April 25, 2023CANTALK, Canadian translation services - Leak listed by Ragnarlockeron the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 2,640 disclosures indexed across all operators we track. Geographically, CANTALK, Canadian translation services - Leak is reported in Canada, a country with 810 ransomware disclosures in our corpus.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.

Ransomware victim disclosure

← All victims

CanTalk Canada

listed as CANTALK, Canadian translation services - Leak · Claimed by Ragnarlocker · listed 3 years ago

37m

Age

since listed · data leaked

Status timeline

Listed
Apr 25, 2023
Data leaked

At a glance

Group: Ragnarlocker
Status: Data leaked
Country: Canada
Sector: Business Services
Listed on leak site: Apr 25, 2023

About the victim

AI dossier — public-source company profile

CanTalk Canada is a Canadian language services provider offering over-the-phone interpretation, translation, and cultural support in 200+ languages and dialects, including French Canadian and Indigenous languages. The company serves businesses, not-for-profits, and government agencies across Canada and the U.S. with integrated call centre, on-site, and remote language solutions available 24/7/365.

Industry: Language Services & Translation
Employees: 51-200

Attack summary

Severity: high — Data has been published (disclosed status: data_published) by a known ransomware group. CanTalk serves healthcare, government, immigration/refugee, and legal sectors, meaning exfiltrated data likely includes sensitive client communications and potentially regulated PII across multiple vulnerable populations.

Ragnar Locker claims a data-published attack against CanTalk Canada, indicating data has been exfiltrated and disclosed; no specific ransom amount or data volume was stated in the available leak post.

high

Data the group says was taken

AI dossier — extracted from the leak post

Client records
Call centre data
Multilingual service logs
Employee information
Government agency communications
Healthcare language service records
Immigration and refugee service records
Legal language service records
Business contact data

Sources

Victim sitecantalk.com
Leak posthttp://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/?IstbRzkUA5SdIxH

Source

Indexed 3 years ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.