[MART] - Daily Diary #466 - RagnarLocker Ransomware Affects 52 U.S. Organizations

CTAS-MAT ctas-mat at appgate.com
Wed Mar 9 20:35:58 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

03/09/2022 - Diary entry #466:

First covered in our Daily #15, RagnarLocker is a Ransomware group that emerged in 2020 and as up today, already published stolen data from 54 different entities on their wall-of-shame blog. The total amount of victims is likely higher since they only publish stolen data of companies that didn't pay the ransom.

In a recent FBI report, RagnarLocker affected at least 52 U.S. entities across 10 critical infrastructure sectors such as energy, financial, government, information technology, and manufacturing. RagnarLocker is a financially motivated group using the double-extortion model. According to their Rules page, after closing a successful deal, they guarantee to delete all stolen information from their servers as well additional backdoors in the victim's infrastructure and finally, provide the decryptor and a list of recommendations to improve security measures.

RagnarLocker ransomware deletes all shadow copies, encrypts all targeted files with the ".RGNR_<VICTIM_UNIQUE_HASHED_ID>" extension, and drop a ransom note with instructions to negotiate with the group. Their malware samples are protected with known solutions such as UPX, VMProtect, or custom algorithms, to avoid detection and reverse engineering. They also deploy the malware inside a custom Windows XP virtual machine to evade security endpoints.

The threat actors behind RagnarLocker are still unknown, but curiously they avoid executing on machines configured with languages belonging to any country from the former Soviet Union, meaning that they are possibly located in Russia like other ransomware families. To be protected against RagnarLocker, we recommend the same measures for any Ransomware attack: securing and maintaining regular backups, adopting a ZeroTrust architecture, isolating systems, and segmenting networks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220309/bdc027f9/attachment.htm>

More information about the MART mailing list