Increasing Ragnar Locker Ransomware Activity leads to FBI Warning

Hackers using Ragnar Locker ransomware have increased up their activity and have been focusing on companies and groups in a number of different sectors, according to a recent private sector alert released by the Federal Bureau of Investigation (FBI).

Ragnar Locker ransomware was first discovered by security experts during April 2019, with the first identified attack aimed at a large corporation that was sent with an $11 ransom demand for the keys to unlock files and ensure the secure removal of the 10 terabytes of sensitive data stolen in the attack.

While not included specifically in the FBI alert, the attack seems to have been on the multinational energy group, Energias de Portugal. The gang was also responsible for the ransomware attacks on the Italian drinks company Campari and the Japanese gaming business Capcom.

Since that attack, the amount of people impacted by Ragnar Locker victims has been steadily growing. Attacks have been successfully carried out on cloud service providers, and companies in communication, construction, travel, enterprise software, and other sectors.

As is the case with other human-operated ransomware attacks, the threat actors behind Ragnar Locker ransomware carry out focused attacks to obtain a foothold in victims’ networks, then have a reconnaissance phase where they spot network resources, sensitive data, and backup files. Sensitive data is exfiltrated, then the final stage of the attack involves the deployment of ransomware on all linked devices.

The Ragnar Locker gang employs a range of obfuscation methods to evade security solutions, with those techniques changing frequently. Ragnar Locker ransomware attacks are simply spotted distinguished, as the encrypted files are allocated a unique extension – .RGNR_<ID>, with the ID created using a hash of the computer’s NETBIOS name. The hackers also identify themselves in the ransom note left on victim devices.

The first attack vector is often Remote Desktop Protocol using stolen details or brute force attempts to identify weak passwords. The gang uses VMProtect, UPX, and custom packing algorithms and encrypt files from Windows XP virtual machines that have been placed on victims’ networks. The hackers terminate security processes, including programs commonly employed by managed service providers to review their clients’ networks, and encrypt files on all networked drives. Shadow Volume copies are removed to make it more difficult for victims to recover files without paying the ransom.

Most ransomware strains seek files of interest and encrypt files with specific extensions; however, Ragnar Locker will encrypt all files in folders that have not been previously marked to be skipped. The untouched folders incorporate Windows, ProgramData, and web browser directories.

The cybercriminals steal data and use the threat of publication to apply pressure on firms to pay the ransom. It may be possible to restore encrypted files from backups, but the threat of the share sensitive data may be sufficient to ensure the ransom is met. The gang recently conducted a Facebook ad campaign using a compromised account to pressure Campari into paying the ransom.

To stop Ragnar Locker ransomware attacks it is necessary to prevent the initial attack vector. RDP should be disabled if possible, strong passwords should be set, multi-factor authentication implemented, and all computers and systems should be kept up to date with patches applied quickly. Antivirus software should be downloaded and set to update automatically, and remote connections should only be possible through a VPN, and never using unsecured, public Wi-Fi networks.

To see to it that files can be retrieved following a successful attack, backups should be regularly carried out, and copies of backups stored on a non-connected device. The FBI also stated that it should not be possible to amend or remove backups from the system where the data is placed.