Content, Ransomware

FBI Issues RagnarLocker Ransomware Compromise, Cyberattack Indicators

Cybercrime, piracy and data theft. Network security breach. Compromised computer showing skull and bones symbol. Digital 3D rendering concept.

The Federal Bureau of Investigation (FBI) has issued a new Flash report detailing ransomware attacks by RagnarLocker, a hacking crew that goes after critical infrastructure installations.

The FBI said it first became aware of RagnarLocker in April 2020. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government and information technology sectors. Currently, roughly 48 IP addresses, bitcoin addresses and email addresses are associated with indicators of compromise (IOC) for the ransomware: 32 IP addresses, 3 bitcoin addresses and 13 email addresses.

According to the FBI, here’s how the RagnarLocker actors operate:

  • Identify themselves as “RAGNAR_LOCKER,” leave a .txt ransom note with instructions on how to pay the ransom and decrypt the data.
  • Use VMProtect, UPX, and custom packing algorithms and deploy within an attacker’s custom Windows XP virtual machine on a target’s site. Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine.
  • If the victim location is identified as "Azerbaijani," "Armenian," "Belorussian," "Kazakh," "Kyrgyz," "Moldavian," "Tajik," "Russian," "Turkmen," "Uzbek," "Ukrainian," or "Georgian," the process terminates.
  • Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt, allowing the computer to appear operating as normal.

The FBI's 10 recommended mitigations include:

  1. Back-up critical data offline.
  2. Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  3. Secure back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  4. Use multi-factor authentication with strong passwords, including for remote access services.
  5. Keep computers, devices and applications patched and up-to-date.
  6. Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  7. Consider adding an email banner to emails received from outside your organization.
  8. Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  9. Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  10. Implement network segmentation.

How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks

If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:

  1. Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
  2. Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
  3. Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
  4. Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.