Ragnar Locker Ransomware hits 52 critical US infrastructure sectors

The Federal Bureau of Investigation (FBI) announced that Ragnar Locker Ransomware Gang has compromised 52 organizations and their networks that belong to several critical US infrastructure sectors. On a joint TLP:WHITE flash alert published by Cybersecurity and Infrastructure Security Agency (CISA) on Monday the same was revealed.

“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by Ragnar Locker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” said the agency.

What is Ragnar Locker ransomware?

Ragnar Locker ransomware was first observed in April 2020. It uses the double extortion tactic, where the attacker first exfiltrates the organization’s business sensitive data then encrypts those data threatening to leak those data if the victim fails to pay the demanded ransom in time. So far, Ragnar Locker ransomware operators have infected ten victims and their data has been leaked online.

Ragnar Locker ransomware gang employs virtual machine images to deploy and execute payloads to avoid malware detection tools. The encryption mechanism used by the gang is Salsa20 encryption algorithm for files and RSA-2048 to encrypt file keys. Have been seen exploiting the CVE-2017-0213 vulnerability for elevated privileges to orchestrate their attack.

Ragnar Locker ransomware attack on 52 US organizations

The ransomware actors work with other ransomware operators frequently to modify their tactics and techniques to avoid malware detection tools.

The FBI and CISA wanted to provide the indicators of compromise (IOCs) that firms can use to identify and block Ragnar Locker ransomware threats. The IOCs include attack vector, infrastructure, Bitcoin address, and email address used by the threat actors.

Ragnar Locker ransomware and their attack vectors

Ragnar Locker ransomware gang are seen manipulating RMM software like ConnectWise, Kaseya that are used by MSPs to control client devices remotely. This attack vector allows the ransomware operators to evade malware detection and ensure the IT admins don’t get suspicious during their act of ransomware deployment. They do the double-extortion attack and publish the stolen data on their data leak site.

FBI requests for further details from IT professionals

The FBI has also requested IT admins and security professionals to share any Ragnar Locker ransomware related information with the local FBI Cyber Squad. Details like ransom demands, ransom notes, malicious activity timelines, payload samples, attack vector, devices targeted, vulnerability exploited and more.

The FBI also shared mitigation procedures to prevent such attacks and asked victims to report ransomware and other similar cyber incidents to their local FBI field office.

In recent times, multiple ransomware operators have been targeting organizations worldwide starting with AvosLocker ransomware, Babuk ransomware and Cuba ransomware last year followed by BlackByte ransomware attack on San Francisco 49rs this year.

It is the responsibility of US organizations to work together to understand the emerging cyber threats and build their defenses accordingly everyday.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.