The Ragnar Locker ransomware gang has so far infected at least 52 critical infrastructure organizations in America in industries including manufacturing, energy, financial services, government and information technology, according to a report. FBI alert this week.
The feds said [PDF] he learned about the ransomware group in early 2020 as well as the malefactors’ favorite tactic: double extortion. The crew steals sensitive data, encrypts the victim’s systems and threatens to release the stolen documents if the ransom to restore the files is not paid.
To date, Ragnar Locker has published stolen data from at least ten organizations on its advertising site, according to Acronis. In its latest wave of cybercrime, the ransomware gang hit entities in nearly a dozen critical sectors in January, according to the FBI’s flash alert, which also provides technical details on how ransomware attacks work:
The Ragnar Locker malware uses the Windows GetLocaleInfoW API to identify the location of the infected machine. If the place of the victim is one of the twelve European and Asian countries, including Russia, Ukraine and other states, the infection process ends.
As the ransomware is deployed, it kills services commonly used by managed service providers to remotely control networks and attempts to silently delete all shadow copies of documents so users cannot recover files. figures.
And finally, Ragnar Locker encrypts organizations’ data. But instead of choosing files to encrypt, it selects folders do not to encrypt. “Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data valuable to the victim,” the FBI explained.
For example, if the logical drive being processed is the C: drive, the malware does not encrypt files in the folder names Windows, Windows.old, Mozilla, Mozilla Firefox, Tor Browser, Internet Explorer, $Recycle. Bin, Program Data, Google, Opera or Opera Software.
The FBI urged victims to report ransomware attacks to their local office. And while it “doesn’t encourage ransoming criminal actors,” he acknowledged it can be a tricky business decision. Executives should “evaluate all options to protect their shareholders, employees and customers” before deciding to pay, he added. ®