FBI issued an alert on Ragnar Locker ransomware activity

Pierluigi Paganini November 23, 2020

The U.S. FBI is warning private industry partners of a surge in Ragnar Locker ransomware activity following a confirmed attack from April 2020.

The U.S. Federal Bureau of Investigation (FBI) issued a flash alert (MU-000140-MW) to warn private industry partners of an increase of the Ragnar Locker ransomware activity following a confirmed attack from April 2020.

The MU-000140-MW flash alert includes indicators of compromise to detect associated with this ransomware gang.

“The FBI first observed Ragnar Locker1ransomwarein April 2020, when unknown actors used it to encrypt a large corporation’s files for an approximately $11 million ransom and threatened to release 10 TB of sensitive company data,” reads the flash alert.

“Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The FBI is providing details of Ragnar Locker ransomware to assist with understanding the code and identifying the activity.”

Threat actors behind the Ragnar Locker ransomware actors first obtain access to a target’s network, then perform reconnaissance to locate network resources and backups in the attempt to exfiltrate sensitive data. Once completed the reconnaissance phase, the operators manually deploy the
ransomware and start encrypting the victim’s data.

Operators behind the Ragnar Locker ransomware are frequently changing obfuscation techniques to avoid detection, they also used VMProtect, UPX, and custom packing algorithms for their malicious code.

Operators also use to deploy the Ragnar Locker within a custom Windows XP virtual machine on a target’s site to avoid detection.

Ragnar Locker doesn’t encrypt the system is it is found to be “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.”

The report contains other technical details about the ransomware and provides the following recommendations to mitigate the threat:

  • Recommended Mitigations
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use multi-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment