FBI finds Ragnar Locker hit 52 U.S. critical infrastructure targets
While providing an updated list of indicators of compromise, the FBI revealed that a range of critical sectors were attacked by the ransomware group.
Over the past two years, the Ragnar Locker ransomware gang attacked more than 50 critical infrastructure entities in the U.S., according to the FBI.
A flash alert issued Monday by the law enforcement agency's cyber division detailed new indicators of compromise for the variant, which the FBI tracked from April 2020 through January 2022. During that time, the FBI observed "at least 52 entities across 10 critical infrastructure sectors" affected by the ransomware, including critical manufacturing, energy, financial, government and information technology.
Sophisticated evasion tactics and high extortion demands after data exfiltration put Ragnar Locker on the radar as a threat to enterprises. The gang's obfuscation techniques were so successful, additional ransomware groups began adopting them.
For example, the alert stated that rather than "choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt," which tricks the system to continue operating normally while the malware spreads.
"RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention," the alert said.
In addition, the FBI determined that operators behind Ragnar Locker avoided certain countries, most notably Russia. Prior to Russian law enforcement action earlier this year against another ransomware group, REvil, dark web chatter revealed that actors felt safe operating in Russia.
"If the victim location is identified as 'Azerbaijani,' 'Armenian,' 'Belorussian,' 'Kazakh,' 'Kyrgyz,' 'Moldavian,' 'Tajik,' 'Russian,' 'Turkmen,' 'Uzbek,' 'Ukrainian,' or 'Georgian,' the process terminates," the alert said.
The alert highlighted the repeated use of Windows APIs, including GetLocaleInfoW, to determine the location of the target system. The ransomware also attempts to delete all Volume Shadow Copies of data using two commands: >vssadmin delete shadows /all /quiet and >wmic.exe.shadowcopy.delete.
A report last month by industrial security vendor Dragos found that in 2021, ransomware was a primary threat against industrial control systems and operational technology. One top target was manufacturing, which accounted for 211 ransomware attacks. Though LockBit 2.0 and Conti caused more than half of the total ransomware attacks against the industrial sector, Ragnar Locker also made the list.
The FBI alert also provided indicators of compromise and offered mitigation steps such as network segmentation, using multifactor authentication, disabling unused remote accesses and auditing user accounts that have administrator privileges.