Fighting Cybercrime: Law Enforcement vs. Hacktivists

On October 18, 2023, an international law enforcement operation facilitated the seizure of the Ragnar Locker ransomware operation’s TOR negotiation and data leak site. On October 17, 2023, the Ukrainian Cyber Alliance – a group of cyber hacktivists – hacked into and wiped the servers of the Trigona ransomware operation. While both groups were targeted and disrupted, the results are interestingly different. This blog post will outline the difference in results from an international law enforcement operation and a group of hacktivists targeting a ransomware group.

 

 

Ragnar Locker (aka RagnarLocker)

Ragnar Locker is one of the longest-standing ransomware operations in the cybersecurity threat landscape. Active since at least December 2019. Ragnar Locker bears similarity to other operations in its tendency to move laterally to other devices, collect and exfiltrate sensitive data, and threaten to leak the data on their data leak site if the victims neglect to pay the ransom demand. As a semi-private operation, Ragnar Locker did not actively recruit affiliates on cybercriminal forums like other groups, but instead worked with specific third parties. The group did not always encrypt victims and has most often targeted the industrials vertical, which includes the manufacturing, construction and engineering, and professional and commercial services industries.

 

On October 19, 2023, the Ragnar Locker data leak site displayed the following message that the site had been seized as part of an international law enforcement operation.

 

Image
Law Enforcement Hacktivists_img1.png

Figure 1: Ragnar Locker (aka RagnarLocker) TOR site

 

It is a normal practice for such messages to be displayed following the disruption of cybercriminal and data leak sites by for international law enforcement operations. Similar messages also appeared following the disruption of the Hive and NetWalker ransomware operations, respectively.

 

 

Trigona

Samples of the much newer Trigona ransomware operation date back to early 2022, but the group officially declared their name and publicly launched their data leak site in October 2022. Trigona operators have most often targeted organizations in the manufacturing, financial services, construction and engineering, and technology verticals. In April 2023, the group targeted Microsoft SQL servers exposed on the internet by using brute-force or dictionary attacks.

 

It was not law enforcement, the Ukrainian Cyber Alliance (UCA) hacktivist group that took down Trigona’s servers. Initiated in 2021, the UCA is comprised of volunteers worldwide that purportedly work to defend the country’s cyberspace against Russian attacks. The group claims to have conducted multiple attacks that resulted in the exposure of Russian activity and propaganda efforts. Around October 12, 2023, UCA hackers reportedly gained access to the Trigona ransomware infrastructure by leveraging a public exploit for CVE-2023-22515 (CVSS 9.8) in Confluence Data Center and Server. UCA maintained persistence and eventually wiped the servers completely. The group told researchers with BleepingComputer that if there were decryption keys in the exfiltrated information, then they would release them and turn over the stolen information to law enforcement. The Trigona ransomware site briefly displayed the image below before it was taken offline completely.

 

Image
Law Enforcement Hacktivists_img2.png

Figure 2: Trigona data leak site

 

 

The Difference

The disruption of the Ragnar Locker ransomware group highlights the increased spotlight that law enforcement shined on ransomware operations. Most ransomware operations are located within “safe harbor” countries that often turn a blind eye to ransomware activity, with the condition that organizations within that region are not to be targeted. This results in law enforcement operations focusing on infiltrating and disrupting a ransomware operation’s infrastructure, rather than targeting the individuals separately. Participating law enforcement agencies will likely release additional information relating to the operation.

 

The disruption of Trigona highlights how no group, organization, or individual is immune from the exploitation of vulnerabilities to gain initial access. Ransomware groups often target critical vulnerabilities in ubiquitous software. It is ironic that one of those same vulnerabilities resulted in the exposure and disruption of one of those groups.

 

Law enforcement agencies leave behind a seizure notice, which is likely a warning to other threat actors that no group or actor is immune to the threat of being disrupted or captured. Yet, hacktivists stick to their TTPs and deface cybercriminal sites before taking them down. It is likely that law enforcement agencies will continue to focus on the disruption of cybercriminals’ operations, while hacktivist operations like UCA will continue to exploit vulnerabilities and weaknesses in infrastructure to deface sites and steal sensitive information over the next 12 months.

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.