FBI finds Ragnar Locker hit 52 U.S. critical infrastructure targets


About the past two several years, the Ragnar Locker ransomware gang attacked extra than 50 essential infrastructure entities in the U.S., according to the FBI.

A flash warn issued Monday by the law enforcement agency’s cyber division comprehensive new indicators of compromise for the variant, which the FBI tracked from April 2020 by way of January 2022. Through that time, the FBI noticed “at minimum 52 entities throughout 10 crucial infrastructure sectors” influenced by the ransomware, which includes crucial production, energy, monetary, govt and details technology.

Complex evasion tactics and significant extortion demands right after data exfiltration put Ragnar Locker on the radar as a risk to enterprises. The gang’s obfuscation methods ended up so profitable, extra ransomware groups started adopting them.

For example, the inform mentioned that somewhat than “deciding on which information to encrypt, RagnarLocker chooses which folders it will not encrypt,” which methods the method to continue working commonly while the malware spreads.

“RagnarLocker ransomware actors do the job as part of a ransomware spouse and children, frequently shifting obfuscation procedures to avoid detection and avoidance,” the alert reported.

In addition, the FBI decided that operators guiding Ragnar Locker avoided certain nations, most notably Russia. Prior to Russian regulation enforcement motion earlier this calendar year versus another ransomware team, REvil, darkish world wide web chatter exposed that actors felt harmless running in Russia.

“If the sufferer location is recognized as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian,’ or ‘Georgian,’ the approach terminates,” the warn claimed.

The alert highlighted the repeated use of Windows APIs, including GetLocaleInfoW, to identify the locale of the concentrate on process. The ransomware also tries to delete all Volume Shadow Copies of knowledge applying two commands: >vssadmin delete shadows /all /peaceful and >wmic.exe.shadowcopy.delete.

A report final month by industrial safety vendor Dragos uncovered that in 2021, ransomware was a principal risk against industrial command methods and operational engineering. One particular top rated focus on was production, which accounted for 211 ransomware attacks. While LockBit 2. and Conti triggered much more than half of the total ransomware attacks versus the industrial sector, Ragnar Locker also made the listing.

The FBI warn also presented indicators of compromise and supplied mitigation methods these as network segmentation, utilizing multifactor authentication, disabling unused remote accesses and auditing consumer accounts that have administrator privileges.