FBI Gives Advisory Concerning Escalating Ragnar Locker Ransomware Activity

A recent private industry alert from the Federal Bureau of Investigation (FBI) showed that threat actors employing Ragnar Locker ransomware have leveled up their attacks and have been selecting businesses and organizations in various industries as targets.

Security researchers first discovered the Ragnar Locker ransomware last April 2019. The first identified attack hit a big company and the attacker demanded an $11 million ransom payment in exchange for the keys to decrypt files and the promise to securely delete 10 terabytes of sensitive information stolen in the ransomware attack.

Although the advisory did not name the attacked firm, it appears that it was the international energy corporation, Energias de Portugal. The culprit responsible for the ransomware attack also attacked Italian drinks company Campari and the Japanese gaming business Capcom.

From then on, there has been an increase in Ragnar Locker victims, which include cloud service providers, and firms engaged in communication, construction, travel, business software, and other sectors.

Like in other ransomware attacks, the attackers employing Ragnar Locker ransomware carry out focused attacks to access victims’ networks, then there’s a reconnaissance period where they find network assets, sensitive data, and backup files. They exfiltrate sensitive information, then lastly deploys ransomware on all connected systems.

The Ragnar Locker group employs various obfuscation tactics to elude security tools, with those strategies changing regularly. Ragnar Locker ransomware attacks could be recognized without difficulty since the encrypted files have a unique file extension – .RGNR_ <ID> . The ID created to make use of a hash of the NETBIOS name of the computer. The attackers leave their ID in the ransom notice dropped on victim devices.

The first attack vector is usually the Remote Desktop Protocol. The attacker utilizes stolen credentials or brute force attempts to discover weak passwords. The attacker makes use of VMProtect, UPX, and customized packing algorithms to encrypt files from Windows XP virtual machines that were deployed on the networks of the victims. The attackers stop security functions, which include programs typically employed by managed service providers to screen their clients’ systems, and encrypt data on all linked drives. They delete Shadow Volume copies to make it more challenging for victims to restore files without making ransom payment.

A number of ransomware variants seek out valuable files and encrypt files using unique extensions; nevertheless, Ragnar Locker is going to encrypt all files in directories that were not marked for skipping. The untouched folders consist of web browser directories, ProgramData and Windows.

The attackers steal files and threaten the victims that the data will be publicized to force them to give ransom payment. It’s possible to retrieve encrypted files using backups, however, the threat of exposing sensitive data may be what’s needed to make sure the ransom is paid for. The gang not too long ago used a compromised Facebook ads account to force Campari into pay the ransom.

To avert Ragnar Locker ransomware attacks, the following actions are suggested:

  • Obstruct the initial attack vector
  • Deactivate the RDP, when possible,
  • Use strong passwords
  • Implement multi-factor authentication
  • Keep all computers and networks updated with patches used right away.
  • Deploy antivirus application and configure it to update automatically
  • Remote connections should only be via a VPN
  • Do not utilize unsecured, public Wi-Fi connections

To make certain that files are recoverable in case of a successful attack, backups need to be routinely done, and backup copies saved on non-networked equipment. The FBI likewise remarks that it must not be possible to alter or erase backup copies from the device where the information is kept.