Attacks and Vulnerabilities
Critical infrastructure
Manufacturing
News
Utilities: Energy & Power, Water, Waste
Vendors

FBI detects RagnarLocker ransomware targeting critical infrastructure sectors

March 08, 2022
FBI detects RagnarLocker ransomware targeting critical infrastructure sectors

The U.S. Federal Bureau of Investigation (FBI) said it had identified at least 52 entities across ten critical infrastructure sectors that were affected by RagnarLocker ransomware. As of January 2022, entities in the critical manufacturing, energy, financial services, government, and information technology sectors have been targeted by the ransomware. 

“RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the FBI said in a FLASH report on Monday. 

The FBI said that RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The hackers, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. 

RagnarLocker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian,’ or ‘Georgian,’ the process terminates, the FLASH report added. 

Subsequently, RagnarLocker checks for current infections to prevent multiple transform encryption of the data, potentially corrupting it, the FBI pointed out. The binary gathers the unique machine GUID, operating system product name, and user name currently running the process, and sends the data through a custom hashing algorithm to generate a unique identifier, it added.

The ransomware assigns a drive letter to any volumes not assigned a logical drive letter and makes them accessible, according to the FLASH report. These newly attached volumes are later encrypted during the final stage of the binary. RagnarLocker iterates through all running services and terminates services commonly used by managed service providers to remotely administer networks, it added. 

The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files, using two different methods, the FBI warned in its alert. Finally, the RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim, it added.

“While it may seem like ransomware is unavoidable, and being prepared to respond to an infection is important, there are preventive measures that organizations can take to reduce the risk of becoming a victim,” Tim Erlin, vice president of strategy at Tripwire, wrote in an emailed statement. “Ransomware doesn’t magically appear on your systems. Attackers have to find a way to install their preferred flavor of ransomware on your systems, and shutting down common attack vectors will reduce the risk. Ensure that your systems are securely configured, and as free from vulnerabilities as possible. Attackers will take advantage of insecurely configured and vulnerable systems,” he added. 

Phishing is another common attack vector, Erlin pointed out. “Training users and implementing strong anti-phishing measures can help. Finally, attackers rarely encrypt the first system they compromise. They need to encrypt sensitive data to have an impact. Advanced organizations may choose to implement capabilities like integrity monitoring to detect lateral movement inside the network that other tools might miss,” he added. 

Last month, the FBI and the U.S. Secret Service (USSS) issued a cybersecurity advisory providing technical details and indicators of compromise concerning BlackByte ransomware. The group is said to have compromised multiple U.S. and foreign businesses, covering entities across at least three U.S. critical infrastructure sectors, including government facilities, financial, and food and agriculture, as of November last year.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned of hackers deploying ‘destructive malware’ against Ukrainian organizations. It has been found that cybercriminals have tried to destroy computer systems and render them inoperable in the wake of the Russian attack against Ukraine.

CISA has also cautioned the critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. It also issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity