What is RagnarLocker? FBI Issues New Warning about Old Ransomware Family

The FBI published a new FLASH alert on March 7, 2022, warning that the RagnarLocker ransomware family has compromised at least 52 organizations across 10 critical infrastructure sectors, including critical manufacturing, energy, financial services, government, and information technology sectors.

According to the Identity Theft Resource Center, ransomware attacks doubled in 2020, and doubled again in 2021. But one thing that is interesting about the RagnarLocker ransomware family is that it has been around since 2019, persisting as a threat, even as other ransomware families such as Maze, DarkSide, REvil, and BlackMatter have retired or been arrested.

In fact, the FBI first published a FLASH alert about the RagnarLocker ransomware family on November 19, 2020. In that alert, the FBI warned RagnarLocker was targeting cloud service providers, communication, construction, travel, and enterprise software companies.

An Uncommon Approach to Obfuscation

RagnarLocker has several uncommon characteristics to note. First, it will terminate its process if it detects the location of the machine is in one of several Eastern European countries, including Russia and Ukraine, suggesting that the attack group (or threat actor) attribution is to one of these countries (like so many other Russian ransomware families).

The most unique aspect of RagnarLocker is how it evades detection by encrypting files with surgical precision instead of indiscriminately. RagnarLocker begins this process by terminating the connections of managed service providers, creating a shroud from which it can operate undiscovered. Next, RagnarLocker silently deletes Volume Shadow Copies to prevent the recovery of encrypted files. Finally, RagnaLocker selectively encrypts files, avoiding files and folders that are critical to system operation, such as .exe, .dll., Windows, and Firefox (among other browsers) – this approach avoids raising any suspicion until the attack is complete.

Although the FLASH alert does not mention it, there are a few other aspects of RagnarLocker that have been reported in the media that are also interesting. According to Bleeping Computer, RagnarLocker has issued warnings that it will leak stolen data if its victims approach the FBI. And according to SC Magazine, RagnarLocker has demonstrated that it can observe incident response chat rooms. Meanwhile, the FBI FLASH alert advises that organizations should not pay a ransom to criminal actors, as it may embolden them to target additional organizations.

It seems the best approach to such a complex situation is to avoid becoming ransomed in the first place.

A Long List of IOCs

While Russia engaged in some performative arrests of ransomware families toward the end of 2021, it is unlikely this sort of cooperation will continue given the ongoing conflict between Russia and Ukraine. Regardless, it does seem that the net is closing in around RagnarLocker, as some of the IOCs that the FBI has produced are quite revealing – in particular, there are several variations of an email address containing the name “Alexey Berdin.”

Even though both FLASH alerts describe RagnarLocker’s obfuscation techniques, it is interesting to observe how much intelligence has been gathered into the indicators of compromise (IOCs) between November 2020 and March 2022. In addition to more than a dozen email address, the FBI has also published three bitcoin wallet addresses, and more than 30 IP addresses related to command and control (C2) servers and data exfiltration.

The FBI is asking any affected organizations to come forward with additional IOCs, including malicious IPs and executables.

Critical Infrastructure in the Crosshairs

For most critical infrastructure providers, RagnarLocker is the most recent reminder in a litany of ransomware attacks, such as Colonial Pipeline, JBS meatpacking, and Kaseya. Fortunately, OPSWAT is a leader in critical infrastructure protection.

Critical infrastructure protection is challenging because of the complexity between IT/OT integrations and legacy SCADA systems, the difficulty to gain visibility into critical assets, and a cybersecurity skills shortage that is even more pronounced in the critical infrastructure sector.

RagnarLocker is not the first, last or only ransomware family to target the critical infrastructure sectors, so it is imperative that these critical infrastructure organizations remain vigilant against this threat. Download OPSWAT’s Guide to Critical Infrastructure Protection to learn how to prepare your organization today.