FBI: Warns of increased activity of Ragnar Locker ransomware

The FBI Cyber ​​Division warns of increased activity of Ragnar Locker ransomware.

The emergency warning was issued by the FBI in collaboration with DHS-CISA and provides professionals security and system administrators information for ransomware and protection tips.

"The FBI first spotted Ragnar Locker ransomware in April 2020, when unknown criminals used it to encrypt the files of a large company for about $ 11 million and threatened to leak sensitive corporate data. data size 10 TB" says the FBI.

"Since then, Ragnar Locker ransomware has been used against a large list of victims, including cloud service providers, Companies communications, construction, travel and Companies providing corporate software".

Ragnar Locker ransomware: Tactics

Initially, the gang behind ransomware investigates victims' networks to find network resources, backups and various other sensitive files. The hackers steal the files to be able to threaten the victims that these data will be published in case the ransom is not paid. After stealing the archives, the criminals install ransomware payload to encrypt the corporate network.

The Ragnar Locker ransomware gang is also known, for the frequent alternation of “payload obfuscation” techniques to avoid detection, as well as for the use of custom packing algorithms and for encrypting files from virtual machines Windows XP.

Also, ransomware has the ability to stop services used by MSPs to manage their client networks remotely.

After the first steps are taken, the hackers of Ragnar Locker install a highly targeted executable ransomware that adds the “RGNR_” extension.

This ransomware has a built-in RSA-2048 key and displays ransom notes. Ragnar Locker ransom notes include the victim's name, a link to the Tor site and one to the leak site data where the ransomware gang will publish the victim's data if ransom is not paid.

Attack in Portuguese Energy (EDP)

The FBI did not provide further details about the big one company who fell victim to Ragnar Locker ransomware in April. However, the data fits perfectly with one attack on energy company Energias de Portugal (EDP).

EDP ​​is one of the largest energy providers in Europe and serves around 11 million customers in 19 countries and on 4 continents.

The Ragnar Locker gang managed to steal confidential corporate data (10 TB). Some of them were related to contracts with clients and partners. The hackers also stole a database containing login names, passwords, accounts, URLs and notes of EDP staff.

However, an EDP spokesman told BleepingComputer that the attack had no impact on critical infrastructure and the electricity service.

The FBI often issues warnings about various threats. In the last year, it has warned US companies about other ransomware, such as LockerGoga, MegaCortex, Maze, Netwalker and ProLock.

Source: Bleeping Computer