It is no secret that critical infrastructure is on cyber watch here in the United States. On March 7th, the FBI issued a flash warning regarding a strain of ransomware called RagnarLocker. At least 52 organizations across 10 critical infrastructure sectors have been affected by this variant of ransomware since it was first detected by the FBI in 2020. The list includes government agencies, manufacturing companies, financial services firms, and information technology firms. Threat actors behind RagnarLocker ransomware usually collaborate together, modifying the methods they use to distribute the ransomware constantly.
How It Works
RagnarLocker ransomware is complex and operates in the following way:
1. It attempts to identify the physical location of the infected machine utilizing Windows API GetLocaleInfoW and terminates the encryption process if the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.”
2. To prevent multiple encryptions and corrupted data, the tool checks for current infections.
3. In the following step, it identifies all attached hard drives and assigns a drive letter to any volume that has not yet been assigned a logical drive letter. They are then accessible and can be encrypted.
4. All services running on infected machines are examined, and any services used for remote administration are terminated.
5. It then attempts to delete all Volume Shadow Copies, which will further disrupt an organization’s ability to retrieve data from the infected computer.
6. Lastly, it encrypts all available files. Instead of choosing files and folders to encrypt, it picks which to not encrypt. In general, it excludes core Windows OS files to prevent the machine from malfunctioning during the encryption process. Many times hackers will utilize the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom.
Indicators of Compromise
The FBI Flash Warning, on page 3, lists a number of Indicators of Compromise (IOC) associated with RagnarLocker Ransomware. Below are some examples of these IOCs.
Keeping ransom payments away from these threat actors is always the FBI’s recommendation. They believe this emboldens attackers to pursue these techniques against other organizations. They also urge all ransomware attacks to be reported. This provides investigators and analysts with the critical information they need to track ransomware attackers and hopefully prevent future attacks. If your organization has fallen victim to a ransomware attack, nGuard can help. Our incident response team is readily available to assist your organization. Preventative measures such as penetration testing and strategic security assessments can help mitigate risk in the first place and hopefully prevent such types of attacks.
Written by nGuard / March 17, 2022