The RagnarLocker cyber-extortion group has already infected at least 52 organizations of critical infrastructure in the United States, in particular in the field of production, electricity, finance, information technology, as well as government organizations. This is reported in a new FBI notice published the other day.
The Bureau first became aware of the RagnarLocker group and its preferred tactics of double extortion in early 2020. Attackers steal sensitive data, encrypt victims’ systems and threaten to publish the stolen information if a ransom is not paid.
The RagnarLocker ransomware adds an extension to the end of the encrypted files .RGNR_<ID>, where <ID> is the hash of the NETBIOS name of the computer. Attackers who subscribe to RAGNAR_LOCKER leave a note in the format on the infected system.txt with a ransom demand and instructions for its payment. RagnarLocker uses VMProtect, UPX and custom packaging algorithms and is deployed on the attackers’ custom Windows XP virtual machine.
Using the Windows API GetLocaleInfoW, the malware identifies the location of the attacked system. If the system is located in one of a dozen selected countries in Europe and Asia, including Ukraine and Russia, the infection process is completed.
After deployment, the ransomware disables services often used by managed service providers for remote control over networks, and secretly deletes all shadow copies of documents, so users cannot recover encrypted files.
Ultimately, RagnarLocker encrypts the data of the attacked organization. It is noteworthy that the malware does not choose files that need to be encrypted, but folders that do not need to be encrypted. This tactic allows the computer to continue working normally while RagnarLocker encrypts files with known and unknown extensions containing data important to the victim.
For example, if the volume is processed on the C: drive, the malware does not encrypt folders named Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program Data, Google, Opera and Opera Software.
The FBI urges ransomware victims to report cyberattacks and not pay ransom, although it “understands that it may be difficult for companies to make such a decision.” Management should “evaluate all options to protect its shareholders, employees and customers” before deciding to pay.