More than four dozen organizations across ten critical infrastructure sectors in the U.S. were compromised by the RagnarLocker ransomware. The group targeted 52 organizations from the manufacturing, energy, financial services, government, and information technology sectors, according to the FBI.
First discovered in April 2020, RagnarLocker ransomware didn’t feature among ransomware families that stood out in Ivanti’s 2022 Ransomware Spotlight Year End Report. However, going after critical U.S. infrastructure has earned them a flash alert jointly released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
The joint flash alert states that by January 2022, RagnarLocker targeted over 50 critical infrastructure organizations in the U.S. alone. The group extensively uses the double extortion attack technique to exfiltrate data before encrypting the target system.
This allows the attacker to threaten to release the exfiltrated data publicly if the victim refuses to fork out the ransom. What’s more, RagnarLocker operators frequently change obfuscation techniques to avoid detection and prevention.
One of these methods is to assess all running services and terminate those used in remote network administration by managed service providers. Another method, the agencies noted, is identifying which files not to encrypt.
See More: Biggest Ransomware Attacks of 2021: A Look Back at the Chart Toppers
“RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim.â€
RagnarLocker only targeted systems based on their location. Interestingly, one of the locations that RagnarLocker doesn’t target is Russia. The infection and encryption process terminates if the target system is located in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan, Ukraine, or Georgia besides Russia.
However, Tim Erlin, VP of Strategy at Tripwire, underscored that the threat actor behind the variant might not necessarily refrain from targeting systems in the countries mentioned above. “It’s a mistake to conflate the tool used with the actor executing that tool,†Erin said.
“There are certainly cases where the threat actor and the tool are closely associated, but without clear evidence, it’s an assumption. The RagnarLocker tool does include code to avoid countries that are part of the Commonwealth of Independent States, which includes Russia among others,†he added.
There is no indication that the RagnarLocker ransomware gang operates under the ransomware-as-a-service model. So we can only assume that RagnarLocker operators and developers are the same and are wary of targeting Russia and others.
RagnarLocker’s indicators of compromise are detailed by the FBI and CISA hereOpens a new window . The FBI encourages ransomware victims not to pay the ransom since it doesn’t guarantee the safe return of data but asks organizations to report the incident, even if they decide to pay. Victims can report to the local FBI field office or submit details online on the FBI’s Internet Crime Complaint CenterOpens a new window (IC3).
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!