A recent increase in Ragnar Locker ransomware activity has prompted the Federal Bureau of Investigation (FBI) to issue a warning to private industry partners. The alert provides information to help system administrators and security professionals protect against attacks.
Ragnar Locker is a relatively new ransomware strain, first identified in April 2020. The ransomware variant was used in an attack by unknown threat actors on a large, unnamed corporation in April 2020. Prior to the encryption of files, the attackers claimed to have stolen 10 TB of sensitive data and threatened to publicly release the data if the $11 million ransom was not paid. Since then, the gang has conducted many attacks on a broad range of companies, including firms in the construction, communication, travel, and enterprise software sectors and cloud service providers.
As with other human operated ransomware operations, the attacks are targeted and the threat actors spend time conducting reconnaissance to identify network resources, backup files, and sensitive data prior to deploying their ransomware payload. Once that stage of the attack is completed, data is exfiltrated, then the ransomware routine is triggered. The threat actors use a variety of obfuscation techniques to evade detection by security solutions and those techniques frequently change.
The attackers check the location of the device and the process will terminate if it is in Russian or former Russian states, and similarly if the device has current infections to prevent the corruption of data.
They force running services to stop to prevent the attack from being detected by managed service providers’ remote management solutions on their client’s networks. Services terminated include vss, sql, memtas, mepocs, sophos, dfs, splashtop, veeam, backup, pulseway, logme, logmein, mysql, and connectwise, and many more.
The attackers deploy Windows XP virtual machines on their victims’ systems from which custom packing and encrypting algorithms are used. The ransomware will encrypt files on all attached hard drives, even if those drives have not been assigned a drive letter. The ransomware will also attempt to delete Volume Shadow Copies using vssadmin and wmic.exe to prevent the recovery of encrypted files.
Rather than encrypt certain types of files, Ragnar Locker will encrypt all folders that have not been marked as not to be encrypted, such as the Windows, ProgramData, $Recycle.Bin, and web browser folders. This approach allows data to be encrypted while the computer continues to function near normally. The ransomware will also not encrypt .sys, .db, .msi, .lnk, .dll, .drv, or .exe files.
Ragnar Locker ransomware attacks can be identified by the extension .RGNR_<ID> which is added to encrypted files. The ID is a hash of the computer’s NETBIOS name. Also, the ransom note dropped on computers identifies the attackers as RAGNAR_LOCKER.”
The ransom note contains information on how to pay the ransom, details of the TOR site, and the URL of the site where stolen data will be dumped if the ransom is not paid. The gang offers the option of a live chat with victims and contact must be made to discover the ransom demand.
The FBI recommends using antivirus and antimalware solutions and keeping those solutions up to date, patching promptly, using multi-factor authentication, strong passwords, only using secure networks, and to avoid the use of public Wi-Fi networks.
To ensure that files can be recovered without paying the ransom, regular backups should be performed and one copy of a backup of critical data should be stored offline, such as in the cloud or on a non-connected hard drive. It is also important to ensure that backups and data are not accessible for modification or deletion from the system where the data resides.