ipopba - stock.adobe.com

FBI: Ragnar Locker Ransomware Attacks Increase With Data Theft Risk

The FBI warns entities of a rise in Ragnar Locker ransomware, where hackers gain a foothold on the network, perform reconnaissance, and steal data before deploying the final attack.

The FBI is urging private sector organizations to be on alert for Ragnar Locker ransomware attacks, which frequently lead to data theft, following a rapid increase in cyberattacks.

First observed in April, Ragnar Locker ransomware actors are known to target a range of victims, including those in the cloud service provider, communication, construction, enterprise software, and travel industries.

The group became well known following a massive ransomware attack on a corporate enterprise. Hackers encrypted the network and asked for a $11 million ransom demand, while threatening to leak 10GB of data allegedly stolen from the company in an extortion attempt.

While there are no known reported events against the healthcare sector, providers should review the indicators of compromise given the recent wave in ransomware attacks led by Ryuk and TrickBot threat actors.

Much like other double extortion threat actors, the Ragnar Locker hacking group first gains a foothold onto a victim’s network and performs reconnaissance to find valuable data, network resources, backups, and other sensitive files for exfiltration purposes.

The hackers will then deploy the ransomware payload as the final stage of the attack, which encrypts all connected devices.

The FBI warned that the Ragnar Locker threat actors continually evolve their obfuscation techniques to avoid detection. The attack can be identified by the extension “.RGNR_<ID>”. The ID is a hash of the computer’s NETBIOS name.

The threat actors also leave victims with a .txt ransom note, which includes instructions on how to pay the ransom and decrypt the data. FBI officials explained the attackers use VMProtect, UPX, and custom packing algorithms.

Further, the group has been observed deploying within their custom Windows XP virtual machine deployed on the victim’s site.

Using Microsoft Windows API GetLocaleInfoW, the hacker then obtains the victim’s current locale. As seen with similar variants, the ransomware will not deploy on devices located in certain countries, such as Russia and Ukraine.

“The ransomware also checks for current infections to prevent multiple encryption transformations of the data, potentially corrupting it,” according to the alert. “The binary gathers the unique machine GUID, operating system product name, and username currently running the process.”

“This data is sent through a custom hashing algorithm to generate a unique identifier,” the alert continued. “The Ragnar Locker ransomware identifies all attached hard drives, whether assigned a drive letter or not, using Windows APIs… The ransomware assigns a drive letter to any volumes not assigned to a logical drive letter and makes them accessible.”

The virus will encrypt these newly attached volumes during the final stage of the binary.

Ragnar Locker iterates through all running services and can terminate services commonly used by managed service providers to remotely administer networks. The FBI warned that the variant will then attempt to silently delete all Volume Shadow Copies, which will prevent the victim from recovering encrypted files.

Interesting, the malware will choose folders it will not encrypt, rather than selecting files to encrypt. This approach allows the computer to continue normal operations, while the ransomware encrypts data of value to the victim with known and unknown extensions.

For example, if the logical drive being processed is the C: drive, the malware does not encrypt files in Windows, Windows.old, Tor browser, Internet Explorer, Mozilla, and other files.

To prevent falling victim, organizations were encouraged to ensure all critical data is protected in offline backups, as well as storing copies of critical data in the cloud, on an external hard drive or other storage device that can’t be accessed from the compromised network.

Administrators should secure all backups and make sure they’re not accessible for modification or deletion from the system where the data resides. Anti-virus and anti-malware software must be installed and routinely updated on all hosts, while organizations should be sure they’re only using secure networks rather than public Wi-Fi.

FBI recommended organizations consider implementing and leveraging Virtual Private Networks (VPNs). And computers, devices, and applications must be patched and up-to-date.

Further ransomware guidance from the Office for Civil RIghts and NIST can help healthcare providers ensure they’ve employed adequate security measures.

Next Steps

Dig Deeper on Cybersecurity strategies