Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI).
Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack.
While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom.
Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries.
As with other human-operated ransomware attacks, the threat actors behind Ragnar Locker ransomware conduct targeted attacks to gain a foothold in victims’ networks, then have a reconnaissance phase where they identify network resources, sensitive data, and backup files. Sensitive data is exfiltrated, then the final stage of the attack involves the deployment of ransomware on all connected devices.
The Ragnar Locker gang uses a variety of obfuscation techniques to evade security solutions, with those techniques changing frequently. Ragnar Locker ransomware attacks are easily distinguished, as the encrypted files are given a unique extension – .RGNR_<ID>, with the ID created using a hash of the computer’s NETBIOS name. The attackers also identify themselves in the ransom note dropped on victim devices.
The initial attack vector is commonly Remote Desktop Protocol using stolen credentials or brute force attempts to guess weak passwords. The gang uses VMProtect, UPX, and custom packing algorithms and encrypt files from Windows XP virtual machines that have been deployed on victims’ networks. The attackers terminate security processes, including programs commonly used by managed service providers to monitor their clients’ networks, and encrypt files on all connected drives. Shadow Volume copies are deleted to make it harder for victims to recover files without paying the ransom.
Many ransomware variants search for files of interest and encrypt files with specific extensions; however, Ragnar Locker will encrypt all files in folders that have not been previously marked to be skipped. The untouched folders include Windows, ProgramData, and web browser directories.
The attackers steal data and use the threat of publication to apply pressure on companies to pay the ransom. It may be possible to restore encrypted files from backups, but the threat of the release of sensitive data may be sufficient to ensure the ransom is paid. The gang recently took out Facebook ads using a compromised account to pressure Campari into paying the ransom.
To prevent Ragnar Locker ransomware attacks it is necessary to block the initial attack vector. RDP should be disabled if possible, strong passwords should be set, multi-factor authentication implemented, and all computers and systems should be kept up to date with patches applied promptly. Antivirus software should be installed and set to update automatically, and remote connections should only be possible through a VPN, and never via unsecured, public Wi-Fi networks.
To ensure that files can be recovered in the event of a successful attack, backups should be regularly performed, and copies of backups stored on a non-networked device. The FBI also points out that it should not be possible to modify or delete backups from the system where the data resides.