The developer of the Ragnar Locker ransomware has been arrested in Paris, France, as part of an international law enforcement effort to dismantle the Ragnar Locker ransomware operation known for targeting critical infrastructure across the world, including hospitals.

Active since 2019, the ransomware operation employed a double extortion tactic, demanding payments for decryption tools as well as for the non-release of the sensitive data stolen. The operators of Ragnar Locker threatened their victims to not hire negotiators, stating it would be considered a hostile act.

Ragnar Locker typically delivers malware via RDP or exploitation of other exposed applications or interfaces.

As part of the law enforcement operation, carried out between 16 and 20 October, the authorities conducted raids in Czechia, Spain and Latvia. Five suspects were detained in Spain and Latvia. Additionally, Ukrainian cyber cops conducted searches at a suspect’s home in Kyiv and seized laptops, mobile phones and “electronic storage devices.”

An alleged developer of the Ragnar group has been brought in front of the examining magistrates of the Paris Judicial Court, Europol said.

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.

Last week, a group of pro-Ukraine hacktivists known as Ukrainian Cyber Alliance commandeered a data leak site of the Trigona ransomware, exfiltrated data and wiped the servers. The group said they used a privilege escalation vulnerability (CVE-2023-22515) in Atlassian Confluence software said to have been exploited by at least one threat actor (Storm-0062) since September 2023.

The activists said they exfiltrated the information from Trigona’s administration and victim panels, their blog and data leak site, as well as the developer environment, cryptocurrency hot wallets, the source code and database records.