A recent private industry alert from the Federal Bureau of Investigation (FBI) revealed that threat actors that use Ragnar Locker ransomware have increased their attacks and have been choosing businesses and organizations in different sectors as targets.
Security researchers first identified the Ragnar Locker ransomware in April 2019. The first known attack targeted a large company and the attacker asked for an $11 million ransom in exchange for the file decryption keys and the assurance to securely delete 10 terabytes of stolen sensitive data.
Even though the advisory did not identify the attacked firm, it seems that it was the multinational energy firm, Energias de Portugal. The group behind the ransomware attack also attacked Italian drinks corporation Campari and the Japanese gaming company Capcom.
Since then, there have been more Ragnar Locker victims, including cloud service providers, and companies engaged in construction, communication, travel, enterprise software, and other industries.
Just as in other ransomware attacks, the threat actors using Ragnar Locker ransomware perform targeted attacks to obtain a foothold in victims’ networks, then have a reconnaissance stage where they determine network resources, sensitive information, and backup records. They exfiltrate sensitive data, then finally deploys ransomware on all linked devices.
The Ragnar Locker gang utilizes a number of obfuscation tactics to avoid security solutions, with those strategies changing often. Ragnar Locker ransomware attacks can be identified easily because the encrypted files are assigned a unique extension – .RGNR_ <ID>. The ID created use a hash of the computer’s NETBIOS name. The attackers leave their identity in a ransom letter left on the victims’ devices.
The preliminary attack vector is typically the Remote Desktop Protocol. The attacker uses stolen credentials or brute force attempts to figure out weak passwords. The gang utilizes VMProtect, UPX, and custom packing algorithms to encrypt files from Windows XP virtual machines that were deployed on victims’ systems. The attackers shut down security operations, such as programs frequently used by managed service providers to keep track of their clients’ systems and encrypt data files on all connected drives. They delete Shadow Volume copies to make it more difficult for victims to retrieve files without paying for the ransom.
A lot of ransomware variants look for interesting files and encrypt files with distinct extensions; nonetheless, Ragnar Locker will encrypt all files in folders that do not have the mark for skipping. The untouched folders were web browser directories, Windows and ProgramData.
The attackers steal information and threaten the victims that the information will be published to pressure them to pay the ransom. It is possible to recover encrypted files from backups, but the threat of releasing sensitive information may be enough to ensure the victim pays the ransom. The gang lately took out a compromised Facebook ads account to compel Campari into giving ransom payment.
To protect against Ragnar Locker ransomware attacks, the following steps are recommended:
- Block the initial attack vector
- Disable the RDP, if possible,
- Set strong passwords
- Implement multi-factor authentication
- Keep all computers and systems up to date with patches applied immediately.
- Install antivirus software and set it for automatic updates
- Remote connections must only be through a VPN
- Never use unsecured, public Wi-Fi networks
To make sure that files are retrievable in the event of a successful ransomware attack, backups must be consistently performed, and copies of backups kept on a non-networked device. The FBI additionally notes that it shouldn’t be possible to change or erase backup copies from the system where the data resides.