The FBI is warning enterprises and other organizations about the ongoing threat from the Ragnar Locker ransomware group, which has targeted critical infrastructure consistently in recent years and successfully compromised more than 50 of them.
Ragnar Locker ransomware has been in use for about two years and the actors behind it use a variety of tactics for initial compromise of their targets. Like many other ransomware groups, Ragnar Locker actors will try to brute force passwords, use stolen credentials, or take advantage of services that are exposed to the Internet, such as RDP, in order to gain initial access to a target network. After that, the actors look for ways to gain higher privileges and move laterally on the network.
“To elevate privileges, the attacker exploits the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to run arbitrary code with elevated privileges. Having achieved privilege escalation, the attacker sometimes deploys a VirtualBox virtual machine (VM) with a Windows XP image to evade detection: an early use of a virtual machine image in this manner to run the ransomware encryption attack,” an analysis of the group by security firm Acronis says.
In an alert published this week, the FBI released indicators of compromise for Ragnar Locker, and warned that the actors behind the ransomware have persistently gone after critical infrastructure organizations.
“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the FBI alert says.
Ransomware attacks on critical infrastructure organizations have drawn quite a bit of attention from law enforcement in the last few years. Specifically, the attacks on the Colonial Pipeline and food processor JBS USA last year brought a tremendous amount of media attention and drew responses from the Biden administration, including an operation by the FBI in which the bureau was able to recover a large portion of the $4.4 million ransom that Colonial Pipeline paid to the DarkSide ransomware actors last year. The federal government also has started a task force to focus on ransomware and created a Cryptocurrency Enforcement Team inside the Department of Justice to crack down on abuses of cryptocurrencies by cybercriminals.
Given the increased attention, many ransomware groups have chosen to steer clear of attacks on critical infrastructure organizations, focusing instead on enterprises and businesses in less-visible areas. But Ragnar Locker actors have gone a different way, and have also adopted the double-extortion method that other groups have used, demanding a ransom in order to decrypt files and another fee for not publishing stolen data. Like some other ransomware groups, Ragnar Locker maintains a leak site on which it publishes a list of victims and will post stolen data if its demands aren’t met.
“RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim,” the FBI alert says.
The FBI for years has discouraged victims from paying the ransom and asks organizations to report infections, even if they do decide to pay.
“Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks,” the alert says.