FBI Warns of Renewed Ragnar Locker Ransomware Activity
The FBI has issued a new flash alert about new instances of Ragnar Locker ransomware infections. The alert (MU-000140-MW) comes approximately seven months after the first Ragnar Locker attack seven months ago and aims to help businesses shield themselves against the persistent threat which has plagued companies across the entire economic spectrum since April 2020.
Table of Contents
Infection Overview
To achieve its goal, Ragnar Locker must find its way to the target’s network and examine the data contained therein.
Note! Before Ragnar Locker springs into action, it checks out the victim’s system locale through the Windows API GetLocaleInfoW function. If the victim turns out to be located in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine, or Georgia, Ragnar Locker stops the infection process and goes no further. Apparently, PC users residing in any of those countries are currently exempt from Ragnar Locker attacks.
Otherwise, Ragnar Locker will utilize UPX, VMProtect, as well as a string of alternative custom executable packers to store the ransomware within a virtual Windows XP computer and carry out their remote attacks. While examining the targeted network, Ragnar Locker checks for any other ongoing malware infections that may have already got under way. After gathering all the necessary network details, Ragnar Locker assigns a unique ID to the targeted network and gives letters to any unmapped external drives.
A Selective Approach
Rather than block normal operations within the compromised network, Ragnar Locker leaves system files and web surfing tools intact to enable the actual encryption process to run in the background. However, the ransomware does block remote access tools to prevent network administrators from intercepting the attack.
Credentials
The crooks utilizing Ragnar Locker apply various code obfuscation tools to keep the ransomware elusive. What is more, they name the payload used in each attack after the target’s NETBIOS name. the latter is appended right next to the payload’s .RGNR extension (.RGNR_).
Leaving No Stone Unturned
This Week In Malware Episode 33 Part 2: Campari Beverage Maker & Capcom Gaming Company Suffer RagnarLocker Ransomware Attacks
Once Ragnar Locker starts encryption, it affects each designated logical drive within the network. What is more, it also makes sure to erase the backup copies created by the Volume Shadow Copy Service by applying both the >vssadmin delete shadows /all /quiet and >wmic.exe.shadowcopy.delete commands. The infection concludes with the ransom note – a document dubbed RAGNAR_LOCKER.txt – containing ransom payment and other instructions.
Preventive Measures
Similar to any other ransomware attack, Ragnar Locker is capable of inflicting mass damage, often costing victims millions to recover. That is why, the conventional measures related to keeping offline backups, up-to-date AV solutions, secure Wi-Fi hotstpots and VPNs, and multi-factor password authentication tools should remain of paramount importance to large organizations and small businesses alike.