Search This Blog

Showing posts with label Ragnar Locker Ransomware Group. Show all posts

In-Depth Look at Ragnar Locker Ransomware Targeting Vital Industries

 

The Ragnar group, responsible for the Ragnar Locker ransomware, has been active since 2019, targeting critical industries and using double extortion. The FBI warned in March 2022 that at least 52 entities from ten critical industry sectors had been affected. 

In August 2022, the group launched an attack on Greek gas supplier Desfa, claiming to have stolen sensitive data. Cybereason researchers examined Ragnar Locker's encryption process. Ragnar Locker performs a location check during execution. Execution is stopped if the location is any country in the Commonwealth of Independent States (CIS).

It then gathers host information, such as the computer and user names, as well as the machine GUID and Windows version. A custom hashing function concatenates and conceals this data. The combined hashes are used to name a new event. Ragnar Locker then attempts to locate existing file volumes by utilising the Windows APICreateFileW.

The encrypted list of services contained within the Ragnar Locker code is decrypted. VSS, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs are all included. If any of these are discovered to be running services, the malware terminates them.

The malware then decrypts and prepares an embedded RSA public key for use. It decrypts the ransom note and then proceeds to delete any shadow copies of the host via vssadmin.exe and Wmic.exe.

The ransom note also states in the analysed sample, "Also, all of your sensitive and private information was gathered, and if you decide NOT to pay, we will upload it for public view!" Tor's Ragnar Locker data leak site (http [://] rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd [.] onion/) currently lists approximately 70 claimed victims.

The note demands a ransom of 25 bitcoins, but suggests that if contact is made within two days, this can be negotiated. However, it warns that if no contact is made within 14 days, the ransom will double, and the decryption key will be destroyed if no payment agreement is reached within 21 days. It also states that the attackers customised the ransom amount based on the victim's "network size, number of employees, annual revenue."

Ragnar Locker begins the encryption process once the ransom note is complete. The files like autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.are among those excluded.

Other files' filenames are sent to the encryption function, which encrypts them and appends the suffix '.ragnar [hashed computer name]'. Ragnar Locker creates a notepad.exe process after encryption and displays the ransom note on the user's screen.

The stolen data used in the double extortion process is continuously exfiltrated until it reaches the point of encryption. According to Loic Castel, a principal security analyst at Cybereason's Global SOC, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

As per the FBI alert, data exfiltration occurred nearly six weeks after the initial access and continued for about ten days before the encryption process began. Ragnar Locker primarily targets critical industry companies. 

“Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” warned the FBI in its March 2022 alert.

Ragnar Locker to Publish Victims Data if They Approach FBI

 

The ransomware gang Ragnar Locker implements a new strategy, which forces victims to pay the ransom and threatens to expose their stolen data if victims approach the FBI. Earlier, Ragnar Locker has struck notable ransomware attacks on various companies to extract millions of dollars in ransom payments. 

Ragnar Locker perpetrators are believed to deploy payloads of the ransomware to the victim's computers manually. They spend time recognizing system resources, business backups, and other critical files before the data encryption phase. 

This week, the organization threatened to release complete information on victims seeking the aid and assistance of the police and investigating authorities amid a ransomware attack in an annunciation on the darknet leak portal of Ragnar Locker. 

The threat is equally applicable to individuals who approach file recovery experts to try to decode files and later on negotiate. In any case, the gang will expose the entire data of the victims on their .onion site. 

The Ransomware administrator says that the process of recovery is only worsened by affected companies who hire "professional negotiators" It is because these negotiators typically collaborate with FBI-associated data retrieval businesses and equivalent organizations. 

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.” 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts,” further reads the announcement. 

Such dealers are either connected to or interact personally with law enforcement officials, the gang claims. In any case, they are in it and do not care about the economic well-being of their customers or their data privacy, stated the organization. 

The previous victims of Ragnar Locker included the Japanese game maker Capcom, ADATA manufacturer of computer chips, and the Dassault Falcon airline company. In Capcom's case, 2,000 devices were supposedly encoded and the attacker demanded $11.000,000 for a decryption key in return. 

Ragnar Locker's latest revelation induces further stress for victims, given that governments across the world have strongly advocated against paying ransoms in the present climate of escalating cyber threats. 

"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware. Paying a ransom in response to ransomware does not guarantee a successful outcome," said the British Home Secretary, Priti Patel in May this year.

Chip Maker ADATA Attacked by Ragnar Locker Ransomware Group

 

ADATA, a Taiwan-based leading memory and storage manufacturer, was forced to take its systems offline after a ransomware attack crippled its network in late May. 

ADATA is known for manufacturing superior DRAM memory modules, NAND nonvolatile storage cards, mobile accessories, gaming products, diversion products, wattage trains, and industrial solutions.

ADATA admitted in an email to Bleeping Computer that it was hit by a ransomware attack on May 23, 2021, and responded by shutting down the impacted systems and notifying all relevant international authorities of the ransomware attack. However, the firm claims that its business operations are no longer disrupted and that it is busy restoring the affected devices. 

ADATA didn’t offer info on the ransomware operation behind the incident or any ransom demands. However, Bleeping Computer says that the Ragnar Locker ransomware gang has already taken the responsibility for the ADATA attack. In fact, Ragnar Locker says that they have allegedly taken one 1.5TB of sensitive information from ADATA’s computers before deploying the ransomware. 

So far, the ransomware gang has posted screenshots of the stolen files in order to prove their claims. However, they’re threatening to leak the rest of the data if the memory manufacturer does not pay the ransom. Chip manufacturers have become a lucrative target for ransomware operators, who can use the threat of downtime, which can prove to be a lot more costly in these turbulent times than the ransom, as another bargaining chip.

Security researchers discovered the Ragnar Locker ransomware in late December 2019. The gang operates by targeting enterprise endpoints and terminating remote management computer code (such as ConnectWise and Kaseya) installed by managed service suppliers (MSPs) to manage clients’ systems remotely.

In November 2020, the FBI said that Ragnar Locker Ransomware targeted "cloud service providers, communication, construction, travel, and enterprise software companies." The attack on ADATA is significant also because of its timing, as it comes in the midst of the ongoing chip shortage. With manufacturers struggling to keep pace with the demands, any downtime could further delay the industry's recovery. 

ADATA stated to BleepingComputer that it is "determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements."