The Ragnar Ransomware gang has gone wild as it hits 52 critical US organizations across sectors such as manufacturing, energy, financial services, government, and information technology, according to the FBI.
According to an FBI alert, the Ragnar ransomware gang came to light in early 2020 and was involved in double extortion tactics. The hacking group is known to steal sensitive data, encrypt a victim’s systems, and threaten to leak the stolen documents if the ransom is not paid.
According to Acronis, currently, the hacking group has posted stolen data from at least ten organizations on their public website. FBI added the gang in January hit entities across nearly a dozen critical sectors. These provided them technical details about how they carried out the ransomware attacks work as explained below.
RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site.
To identify the infected machine’s location the Ragnar Locker malware uses Windows API GetLocaleInfoW. While the infection process terminates if the victim’s location is from European and Asian countries, this includes Russia and Ukraine.
The Ragnar Locker malware kills a service commonly used by managed service providers to remotely control networks once it’s deployed. Additionally, it tries to silently delete all shadow copies of documents so that users can’t recover encrypted files.
The Ragnar Locker encrypts organizations’ data, though it does not choose files to encrypt rather it selects folders not to encrypt. Further, the FBI explained, “Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim.”
This means if a logical drive is being processed ie. C: drive the malware will not encrypt files in folders named Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program Data, Google, Opera, or Opera Software.
The FBI has urged victims to report ransomware attacks to the local field office. The agency said they do not encourage paying ransom to bad actors and acknowledges it’s a tricky decision. Though executives should evaluate the situation and reach a decision that would protect their shareholders, employees, and customers.