RagnarLocker Ransomware Connected to Hacks at 52 Organizations
New guidance from the FBI contains IOCs and technical details on how the ransomware spreads.
While continued and consistent law enforcement action against ransomware has helped curb the threat, it still persists.
The Federal Bureau of Investigation said this week that the Ragnar Locker ransomware group in particular has had success over the past few months, breaching at least 52 organizations from several U.S. critical infrastructure sectors.
While RagnarLocker isn't new - the FBI notes it first became familiar with it in 2020 - attacks involving the ransomware have picked up. According to CU-000163-MW, a flash alert (.PDF) pushed to organizations on Monday, RagnarLocker has hit entities in manufacturing, energy, financial services, government, and information technology sectors of late.
Like most ransomware strains, Ragnar Locker leaves a .txt ransom note, instructing users how to pay a ransom. It encrypts files and appends ".RGNR_<ID>" in which <ID> is a hash of the machine's NETBIOS name, to the file name. Like other strains of ransomware, the malware avoids systems that primarily use Russian or related languages. It uses Windows API GetLocaleInfoW to identify the infected machine's location. If it’s located in one of a dozen European and Asian countries, including Russia and Ukraine, the infection process terminates.
In its alert, the FBI supplies defenders with indicators of compromise (IOCs) to counter RagnarLocker, including IP addresses, Bitcoin addresses, and email addresses reportedly used by the ransomware gang's members.
One of the reasons the ransomware has had success appears to be its ability to avoid being detected. Once it starts, RagnarLocker terminates any services commonly used by an organization's managed service provider to perform remote admin work on a network.
RagnarLocker shouldn't be confused with Ragnarok, another, different strain of ransomware that made the rounds for a couple of years before closing up shop last summer. A handful of companies, including some from France, Estonia, Sri Lanka, Turkey, Thailand, U.S., Malaysia, and Hong Kong fell victim to the ransomware; the group behind it shuttered unexpectedly last summer, releasing a master key that helped victims decrypt their files.
In order to mitigate the threat, the FBI is encouraging organizations to take a lot of the measures its recommended in the past, including making sure critical data is backed up offline, either in the cloud or an external storage device, to use multi-factor authentication, and to keep all of their devices and applications up to date when it comes to patching vulnerabilities.
The notice is the latest alert, released by the FBI in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) on ransomware activity; the department has been more transparent about how successful some groups have been.
It said in December that the Cuba ransomware gang had compromised 49 different organizations across the U.S. and made $40 million in the process. It said last month that the BlackByte group had compromised at least three organizations, including those in the government facilities, financial, and food and agriculture industries.
Part of the FBI's goal in communicating the news is to encourage organizations to contact their local FBI offices if their organization becomes a victim of a ransomware attack. n turn help prevent future intrusions and attacks.