FBI warns of RagnarLocker gang attacking US critical infrastructure

FBI warns of Ragnar Locker gang attacking US critical infrastructure sectors

Image:
FBI warns of Ragnar Locker gang attacking US critical infrastructure sectors

Financial services, energy and IT are among the targeted sectors

The US Federal Bureau of Investigation (FBI) is warning businesses and other organisations in the United States of the ongoing threat from the Ragnar Locker ransomware group, which has infiltrated the networks of more than 50 entities from multiple critical infrastructure sectors in recent years.

"As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the FBI says in a flash alert [pdf] published in coordination with the US Cybersecurity and Infrastructure Security Agency (CISA).

RagnarLocker's ransomware payloads were initially noticed in cyber attacks in late December 2019, although the federal agency only learned of the gang's existence in April 2020.

The RagnarLocker gang uses the double extortion tactic, where the operators first steal the organisation's sensitive data. Operatives encrypt the data and threaten to release it publicly if the victim does not pay the ransom in time.

Their obfuscation techniques have been so successful that other ransomware groups have started to use them, too.

In the alert, the FBI notes that instead of choosing which files to encrypt, RagnarLocker chooses which folders it won't encrypt. This strategy allows the system to function 'normally' while the malware encrypts files that contain data of value to the victim.

The FBI also discovered that the operators of RagnarLocker avoid targeting certain countries, and for that, they use Windows API GetLocaleInfoW to identify the location of the infected system.

If the victim location is detected as Russian, Belorussian, Azerbaijani, Armenian, Kyrgyz, Kazakh, Moldavian, Tajik, Turkmen, Uzbek, Ukrainian or Georgian, the process is terminated.

The operators also check for present infections in order to avoid repeated encryption of the data, which might damage it.

According to Acronis, RagnarLocker operators have released stolen data from at least 10 firms on their website to date.

In September last year, the RagnarLocker group warned organisations that it would leak all exfiltrated data from victims who contact law enforcement authorities after suffering a ransomware attack.

The threat also applied to victims who contact data recovery firms to attempt decryption and conduct the negotiation process.

In its alert, the FBI provides an updated list of indicators of compromise (IOCs) that organisations can use to identify and protect against RagnarLocker ransomware attacks.

The IOCs include information about attack infrastructure, email addresses used by the gang's operators and bitcoin addresses used to collect ransom demands.

In an advisory, the FBI encourages victims to contact their local field office to report ransomware incidents.

While the agency does not recommend paying a ransom to criminals, it acknowledges that it may be a difficult business choice, and that executives should consider all available options to protect their employees, shareholders and consumers before making a final decision.

"Regardless of whether you or your organisation decides to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks," it adds.