Pierluigi Paganini March 08, 2022

The US FBI warns that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors.

The US Federal Bureau of Investigation (FBI) and CISA published a flash alert to warn that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations across 10 critical infrastructure sectors. The ransomware operation has been active since late December 2019, this is the second time that the FBI first shares IoC related to RagnarLocker operation, the FBI first became aware of this threat in April 2020.“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” reads the FBI’s flash alert. “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”

The flash alert provides details on attack infrastructure, Bitcoin addresses used by the gang to receive the payments of the ransom from the victims, and email addresses used by the gang’s operators.

The flash alert includes a series of mitigations to neutralize such attacks:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

Users who identify any suspicious activity within their enterprise or have related information,
are recommended to contact their local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ragnar Locker ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]