More than the previous two many years, the Ragnar Locker ransomware gang attacked additional than 50 crucial infrastructure entities in the U.S., in accordance to the FBI.
A flash notify issued Monday by the legislation enforcement agency’s cyber division in-depth new indicators of compromise for the variant, which the FBI tracked from April 2020 through January 2022. In the course of that time, the FBI noticed “at minimum 52 entities across 10 significant infrastructure sectors” affected by the ransomware, such as vital production, electricity, fiscal, federal government and info engineering.
Refined evasion techniques and high extortion demands soon after information exfiltration place Ragnar Locker on the radar as a danger to enterprises. The gang’s obfuscation methods were being so effective, further ransomware teams commenced adopting them.
For case in point, the alert said that relatively than “deciding on which information to encrypt, RagnarLocker chooses which folders it will not encrypt,” which tricks the technique to continue working ordinarily even though the malware spreads.
“RagnarLocker ransomware actors get the job done as aspect of a ransomware family, frequently transforming obfuscation approaches to stay away from detection and prevention,” the inform mentioned.
In addition, the FBI established that operators at the rear of Ragnar Locker avoided particular nations around the world, most notably Russia. Prior to Russian regulation enforcement action previously this calendar year in opposition to an additional ransomware group, REvil, dark website chatter unveiled that actors felt risk-free running in Russia.
“If the victim locale is identified as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian,’ or ‘Georgian,’ the process terminates,” the inform reported.
The warn highlighted the repeated use of Home windows APIs, which includes GetLocaleInfoW, to establish the area of the focus on process. The ransomware also makes an attempt to delete all Volume Shadow Copies of knowledge working with two commands: >vssadmin delete shadows /all /quiet and >wmic.exe.shadowcopy.delete.
A report final thirty day period by industrial security seller Dragos discovered that in 2021, ransomware was a main menace against industrial manage devices and operational technological know-how. One prime concentrate on was producing, which accounted for 211 ransomware assaults. Even though LockBit 2. and Conti brought about extra than 50 percent of the full ransomware assaults in opposition to the industrial sector, Ragnar Locker also built the record.
The FBI notify also delivered indicators of compromise and supplied mitigation measures these kinds of as network segmentation, utilizing multifactor authentication, disabling unused remote accesses and auditing person accounts that have administrator privileges.