The U.S. Federal Bureau of Investigation (FBI) issued a flash alert (MU-000140-MW) to warn private industry partners of an increase of the Ragnar Locker ransomware activity following a confirmed attack from April 2020.
The MU-000140-MW flash alert includes indicators of compromise to detect associated with this ransomware gang.
“The FBI first observed Ragnar Locker1ransomwarein April 2020, when unknown actors used it to encrypt a large corporation’s files for an approximately $11 million ransom and threatened to release 10 TB of sensitive company data,” reads the flash alert.
“Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The FBI is providing details of Ragnar Locker ransomware to assist with understanding the code and identifying the activity.”
Threat actors behind the Ragnar Locker ransomware actors first obtain access to a target’s network, then perform reconnaissance to locate network resources and backups in the attempt to exfiltrate sensitive data. Once completed the reconnaissance phase, the operators manually deploy the
ransomware and start encrypting the victim’s data.
Operators behind the Ragnar Locker ransomware are frequently changing obfuscation techniques to avoid detection, they also used VMProtect, UPX, and custom packing algorithms for their malicious code.
Operators also use to deploy the Ragnar Locker within a custom Windows XP virtual machine on a target’s site to avoid detection.
Ragnar Locker doesn’t encrypt the system is it is found to be “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.”
The report contains other technical details about the ransomware and provides the following recommendations to mitigate the threat:
(SecurityAffairs – hacking, malware)