Cybereason recognizes pattern of Ragnar Locker ransomware targeting energy sector

The Cybereason Global Security Operations Center (GSOC) team is investigating the Ragnar Locker malware line, ransomware, and a ransomware operator, which recently claimed to have breached systems at Greek pipeline company DESFA. The hackers caused a ‘limited scope data breach and IT system outage following a cyberattack’ at the natural gas operator. 

DESFA said that all industrial operations related to the Greek national natural gas system kept operating as usual, and the damage was only to its IT systems. “The management of the NNGS continues to operate smoothly, and DESFA continues to supply natural gas to all entry and exit points of the country safely and adequately.” The move by DESFA is different from the reaction by Colonial Pipeline when DarkSide ransomware hackers targeted the company’s IT systems last May.

In its Threat Analysis report, Cybereason provides context over the DESFA breach and offers an overview of the Ragnar Locker ransomware through a dynamic and reverse engineering analysis.

Among its key findings, the GSOC team said that the DESFA pipeline ‘has been claimed by Ragnar Locker as their victim.’ As part of the group’s security evasion capabilities, Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions, and IT remote management solutions.

Cybereason said that this is the second important pipeline company hit by ransomware, along with Colonial Pipeline. Furthermore, ransomware has hit four energy companies recently, including three in Europe. The team also revealed that Ragnar Locker is both a ransomware group and the name of the software in use, which has been operating since 2019 and targeting critical industries. The group uses a double extortion scheme and avoids being executed in countries since the group is located in the Commonwealth of Independent States (CIS). It also matches both the name of the ransomware group and the name of the ransomware binary. 

Ragnar Locker has also been known to target English-speaking users generally. The ransomware has been on the radar of the U.S. Federal Bureau of Investigation (FBI) since the gang breached over fifty organizations across ten critical infrastructure sectors. The federal agency said that as of January this year, ransomware targeted entities in the critical manufacturing, energy, financial services, government, and information technology sectors. The advisory also added that the Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing and obfuscation techniques to avoid detection and prevention.

Cybereason said that the cybersecurity incident targeting DESFA’s systems was one of the four energy providers that were hit by ransomware recently, including other ones in Europe. For example, the Hive ransomware posted energy and natural gas producer ENN Group from China on their portal; BlackCat ransomware hit Creos/Encevo, an energy company from Luxembourg; and South Staffordshire was targeted last month, allegedly by the CL0P ransomware gang. 

Industrial cybersecurity firm Radiflow said that even though they have announced ceasing operations in 2021, the Ragnar Locker gang is very much active. “Given that the hackers published files stolen from DESFA’s IT environment and that, according to DESFA, some of its systems were affected by a cyberattack, our assessment is that the hackers had probably leveraged weak authentication mechanisms or social engineering vectors to penetrate into the enterprise network,” the post added.

Radiflow assesses that DESFA’s ability to maintain continuity of its OT operations was probably achieved by implementing proper security controls between the breached IT environment and OT networks, which continued to function. Accordingly, critical infrastructure utilities should take action in two parallel paths – improve IT security to prevent external threat vectors and build OT cyber resilience through several vectors, including risk assessment, IT/OT segmentation, network visibility, and two-factor authentication.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.