The Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), has issued a TLP: White flash alert warning organizations in critical infrastructure sectors about RagnarLocker ransomware attacks.
Ragnar Locker ransomware started to be used in attacks in December 2019, with the FBI first learning of the ransomware in April 2020. The FBI says RagnarLocker ransomware actors work as part of a ransomware family and frequently change their obfuscation techniques to avoid detection and prevention. According to the alert, at least 52 critical infrastructure organizations across 10 sectors have suffered RagnarLocker ransomware attacks since January 2022, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.
The alert provides technical details of the ransomware and the attack methods. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. The ransomware checks the location of the infected device and will exit if the device is in Russia or any of the former Soviet states. Rather than choosing the files to encrypt, the ransomware chooses folders that will not be encrypted and then encrypts files in all other folders.
The ransomware will identify all attached hard drives and will encrypt files on all drives, even if they have not been assigned a logical drive letter. The ransomware iterates through all running services and terminates services typically used by managed service providers for remote administration. The ransomware will attempt to delete all Volume Shadow Copies to prevent the recovery of encrypted files without paying the ransom.
The alert provides indicators of compromise and recommended mitigations to help security teams detect and block RagnarLocker ransomware attacks. The FBI said it does not recommend paying the ransom since there is no guarantee that paying the ransom will allow the recovery of files, payment allows the gang to conduct attacks on other victims, and when ransoms are paid it incentivizes other cybercrime groups to launch their own attacks. However, the FBI understands that when businesses are attacked and are unable to function, there may be no alternative other than paying the ransom.
The FBI has requested all victims of RagnarLocker ransomware attacks share information with their local FBI Cyber Squad, regardless of whether they chose to pay the ransom. The information will help the FBI to identify the individuals behind the attacks and bring them to justice.