An early March “Flash” warning from the FBI provides indicators of compromise for the Ragnar Locker ransomware, in light of it spreading widely throughout critical infrastructure companies.
The FBI says that 52 critical infrastructure firms have been hit by Ragnar Locker ransomware as of January 2022, and that it remains a substantial threat even as it crosses the threshold of two years in the wild. In addition to a technical breakdown useful in identifying attacks, the FBI reiterated its position of discouraging ransomware payments and encouraged immediate reporting (even if a ransom has already been paid) to local field offices if it is suspected.
Ragnar Locker ransomware continues to menace organizations of all types
The Ragnar Locker ransomware group made a name for itself in 2020 with attacks on high-profile targets such as gaming company Capcom, Italian liquor giant Campari, and major Portuguese energy supplier Energias de Portugal. The FBI has issued a prior alert about the group, as has Microsoft. Ragnar Locker has managed to survive even as contemporaries such as REvil and DarkSide have been hit hard by law enforcement actions and essentially driven out of business (largely due to their targeting of critical infrastructure companies). In late 2021, the Ragnar Locker group even became bold enough to threaten victims with document dumps if they went to the FBI or engaged “professional negotiators” of any sort.
The recent FBI Flash notification warns that Ragnar Locker ransomware remains a serious threat, with considerable penetration among critical infrastructure companies: some 52 firms in 10 relevant sectors (such as critical manufacturing, financial services and energy).
A technical breakdown explains how the Ragnar Locker ransomware works. It has long been known to specifically target Windows systems, but one small nugget from this notification is that it defaults to encrypting everything on a target system and makes a list of exceptions in advance. This exception list mostly contains files critical to basic operation (such as .exe and .dll) contained in the Windows directories, which actually helps the ransomware to more effectively encrypt data in the background while the system continues to run.
The notification contains a lengthy list of items the FBI recommends that victims have available for investigators: a copy of the ransom note, amount of demand and currency type, any malicious files or recorded malicious IP addresses, a summary of the timeline of events, an incident response report, and host and network logs among them. Recommended mitigations include backing up critical data both offline and in the cloud, multi-factor authentication, the use of email banners for emails that come from outside the organization, disabling of unused remote access/Remote Desktop Protocol (RDP) ports, and implementing network segmentation.
Critical infrastructure companies remain a popular target
The FBI notes that the Ragnar Locker ransomware has been consistently successful due to frequent changing of its obfuscation techniques to prevent detection. It also makes use of virtual machines on targeted devices to help avoid raising automated alarms; Ragnar Locker has been observed deploying on a Windows XP or Windows 7 virtual machine inside Oracle Virtualbox, with an installer file size of about 122 MB hiding a ransomware executable of less than 100 kilobytes.
The group was also among the first to use the “double extortion” technique, first stealing sensitive files from target systems and then encrypting them. The stolen files are held to ransom on a dark web site, with the group threatening to make them public if the ransom is not paid. The group has also been known to partner with other major ransomware outfits (such as Maze) to share elements such as dark web infrastructure. The Maze cartel is thought to have gone out of business in late 2020, but elements of it (including the creators of the Ragnar Locker ransomware) have continued to do business using their established infrastructure and tools.
Rajiv Pimplasker, CEO of Dispersive Holdings, weighed in with some additional technical advice: “As with most problems, avoidance is better than remediation. According to X-Force Threat Intelligent Index, the #1 initial attack vector for ransomware is to scan open networks and exploit. The deperimeterization of the corporate networks with the advent of cloud and SaaS applications, has eroded infrastructure control for IT organizations. As current geopolitical news events show, governments, critical infrastructure industries and enterprises alike need to assure zero trust strategies even at the network level and traditional IPsec encryption alone is not enough to safeguard the integrity and privacy of sensitive communications.”
And according to Sanjay Raja, Unified Security and Risk Solution Provider for Gurucul: “As RagnarLocker is hardly new ransomware it shows that current Endpoint, XDR and SIEM solutions are failing organizations in detecting and remediating these attacks successfully. Threat actors continue to slightly modify their techniques to evade poorly designed rule-based artificial intelligence and limited black box machine learning models for detecting slight variations in attacks using existing malware or ransomware. The threat actor groups using RagnarLock, through the mechanism of selecting ‘what not to encrypt’ has managed to evade detection through traditional methods. This highlights the need for a large number of automatically trained machine learning (ML) models that can detect emerging attacks and variants without having to be constantly updated.”
Some free assistance is on the way in the form of the Critical Infrastructure Defense Project, an initiative involving three of the biggest cyber defense firms: Cloudflare, CrowdStrike, and Ping Identity. The initiative is offering free cyber security services to critical infrastructure companies for the next four months, due to the elevated risk caused by the war in Ukraine. Cloudflare is offering access to its full suite of zero trust security products, CrowdStrike will provide critical infrastructure clients with endpoint protection and intelligence services, and Ping Identity is also offering zero trust products in addition to a detailed guide to defense of cyber attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) also followed up the FBI alert with a message of its own for small and medium-size businesses. Executive Director Brandon Wales said that the homeland is not presently considered to be threatened by intentional cyber campaigns related to the war, but that businesses of all types and sizes need to be on elevated alert for ransomware attempts.
According to Mark Carrigan, SVP of Process Safety and OT Cybersecurity at Hexagon PPM: “In times of intense warfare and geopolitical tension, the command, control and logistics of the adversary are likely to be top targets. It’s time for operators of critical infrastructure to focus on resilience and ensure they have robust response plans in place to fight this ever-expanding threat. Owners and operators must create a plan to upgrade end of life systems that act as easy targets. What we see often is that owners/operators continue to struggle with generating a full inventory of devices and operating systems in their production networks. The tools are available today to get 100% visibility into the software and firmware versions of these systems, along with much more useful data, whether they are on the network or ‘islanded.’ Mitigating this extensive threat starts with generating a full inventory to know what you have and also ensure you are capturing offline backups of the configuration files of these critical systems so that if you were to get hit, you would have the ability to restore operations faster and safely. These highly-sophisticated cyber threats aren’t going away any time soon and companies large and small are in the cross-hairs. For OT/ICS security managers, 2022 should be the year of resilience.”